Hack The Box Networked Writeup – 10.10.10.146

Hack The Box Networked Writeup 10.10.10.146

Hack The Box Networked is an easy Linux machine.

Lets start with nmap port scan as usual.

I found two ports open with OpenSSH and an Apache webserver. Since both services are updated with the latest versions, I thought its waste of time to look for exploits and concentrated on webserver enumeration.

The webserver has no much information, however I found a interesting information in the source-code.

I know that there is something behind this webserver, so I decided to directory brute force using GoBuster. I’m using “directory-list-2.3-medium.txt”. After running for a while, GoBuster discovered few virtual directories as below:

I started looking the directories one by one, but started with /backup because it seemed interesting to me. I navigate to /backup and I saw a backup.tar.

I downlload the backup.tar for further analysis, there are couple of php files. Upload.php and lib.php

After analyzing the upload.php and lib.php files I understood that the upload.php calls check_file_type function present in lib.php which further calls file_mime_type function which is also present in lib.php. It calls some of the function of the standard library in php which uses magic bytes to check whether it is an image.

I will use my favourite php reverse shell (from pentestmonkey) and append ‘magicbytes‘ to the start of the file. This makes the mimetype check php is using think it is an image file. 🙂

Here is my final reverse shell script: (12345.php.gif)

The revese shell was uploaded successfully using /upload.php

Here is my reverseshell php file disguising as a gif file.

I ran a ncat from my terminal and reload the photogallery, I had the reversehell as apache immidiatly.,

Privilege Escalation

I ahve the reverse shell but its the user apache who is love privilege user, Looking at the directories I found that there is user named “guly”. There are file in /home/guly directory seemed interesting to me. (‘crontab.guly’ and ‘check_attack.php’). Looking at the files I understood that crontab.guly is set to run check_attack.php every 3 minutes.

Here is the content of check_attack.php

The code basically says that, all the files in the uploads folder that I previously uploaded, are being deleted. If we look closely at the code, this line in particular stands out:

The value variable holds the name of a file and I can name it in such a way to execute code! As user apache I have write access in that directory, so all I need to do is go to the directory and create the appropriate named file.

Then I start to listen on the 3333 port and wait for the program to run and in coupole of minutes, I have the reverse shell as guly.

the user.txt was in Guly’s home directory

Getting the Root.txt

Running “sudo -l” I saw

It means I can run this changename.sh file as root without a password.

The box is vulnerable for this : https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f

And I got the root.txt

Thanks for reading.

Click to rate this post!
[Total: 0 Average: 0]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: