3 minute read

Wall

Information Gathering

Nmap Port Scan

Screenshot

Nmap Script Scan

Screenshot

Service Enumeration

Nikto Web Scan on Port 80

Screenshot

FFuF Web Enumeration

Screenshot

Gobuster Directory Enumeration

Screenshot

Web Service Enumeration

Screenshot

/monitoring Endpoint

Screenshot

Penetration

HTTP Verb Tampering

While we cannot access the /monitoring endpoint through the browser, moving this request into Burp Suite and simply changing the request verb allows us to bypass the basic authentication mechanism. Doing so will dump us at a Centreon login page. We now have a valid PHPSESSID from our bypassed authentication to use for further enumeration.

Screenshot

Screenshot

Screenshot

Screenshot

Centreon Login Enumeration

The Centreon service does not use default or common credentials. There is also a CSRF token noted in the source code titled centreon_token which will make a password brute force very difficult, as this value will change with its request each time, as is its intended purpose.

Screenshot

Centreon Admin Password Brute Forcing

A python script from GitHub can be easily modified to use the CRSF token each time the web page is loaded. The process is documented as follows:

admin:password1

Screenshot

Screenshot

Centreon Administrator Dashboard Enumeration

Screenshot

Screenshot

Centreon RCE - CVE 2019-13024

Documented in the article below is the exploitation of CVE 2019-13024. A parameter in the Centreon dashboard that allows users to run scripts on startup can be escaped to run shell-level commands on the target server. It appears that a WAF is not allowing spaces to be submitted, but we can use the special ${IFS} variable to inject spaces and let the reverse shell one-liner run.

https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

Backup Python Binary

A non-standard binary in /opt/.shelby titled backup appears to be a Python2.7 byte compiled binary. We aren’t given very much verbosity when running the binary so we process it into base64 to exfiltrate the binary to our attacking machine. After successful exfiltration, we can use Uncompyle6 to decompile the Python binary. Credentials are stored in the source code for the Shelby user.

Screenshot

Screenshot

Screenshot

Screenshot

Screenshot

shelby:ShelbyPassw@rdIsStrong!

Shelby User Shell

Screenshot

Privilege Escalation

SUID Binary Enumeration

Screenshot

Screen 4.5.0 SUID Exploitation

The Shelby user has access to the SUID binary located at /bin/screen. This specific version of Screen 4.5.0 has a code execution exploit that will allow us to take advantage of the SUID binary and run OS commands as root on the target server.

https://www.exploit-db.com/exploits/41154

Screenshot

Screenshot

Screenshot