HackTheBox – Cerberus

00:00 – Introduction
01:00 – Start of nmap
02:00 – Looking at the TTL of Ping to see its 127, then making a request to the webserver and seeing it is 62
03:45 – Showing DNS is listening on Cerberos and exposing the 172.16.22.0/24 network
05:15 – Looking at Icinga, testing default credentials
06:20 – Fingerprinting the Icinga release by looking at javascript, using UI.JS since it looks like it changes frequently
09:05 – Cloning the repo, then writing a one-liner to hash all versions of ui.js and finding which commit the version off the webserver is on
12:10 – Finding a File Disclosure vulnerability in Icinga CVE-2022-24716, leaking some Icinga configuration files and finding a web users password
16:20 – Gaining RCE via CVE-2022-24715, which allows us to write a file to disk then change where the Icinga plugin directory is to get code execution
25:30 – Shell as www-data, doing some basic recon to figure out what type of virtual environment we are in via /sys/class/dmi/id/sys_vendor
29:00 – Looking at running processes and seeing sssd is running which allows this box to talk to the domain
30:00 – Looking at SetUID Files, discovering FireJail and privesc’ing CVE-2022-31214
36:00 – As root on linux, we can now examine the SSSD configuration and get a domain password
44:50 – Setting up a SOCKS Proxy via chisel, so we can use Evil-WINRM to log into the windows machine as Matthew
48:50 – Discovering ManageEngine ADSelfService Plus is running, finding an exploit
52:50 – Fighting with Chisel to get all the port forwards working, have trouble with two socks proxies
01:00:00 – Redoing our tunnels, doing a portforward on linux to get evil-winrm, then a socks on our windows target to access ManageEngine
1:06:10 – Running the Metasploit Exploit against ManageEngine and getting root