Nopal EchoCTF

Nmap Scan:

Only 1 tcp port open

On checking the web server shows an instance of Cacti

After i searched for default cred i couldn’t find any

Looking at the web page shows it version Cacti Version 1.2.8

Searching for exploit leads here Exploit

Running the exploit gives shell

Stabilizing the shell

python3 -c "import pty; pty.spawn('/bin/bash')"
export TERM=xterm
CTRL +Z
stty raw -echo;fg

Looking for internal service shows that snmp port is open

Reading the config file shows that the community key is public

Also it runs an extend command on /tmp/snmpd-tests.sh

So what extend does is that whenever a walk is done on snmp it will run the file specified as a bash file

With that we can get code execution

Here’s the resource that helped me out HackTricks

I’ll create the file snmpd-tests.sh in the /tmp directory and add the content of a bash reverse shell

With that i’ll set a listener on port 1337 and run the snmpwalk command

cd /tmp
snmpwalk localhost -c public -v1 . 

Running it pops our shell 🤓

And we’re done xD

root💀haxor:~#