Published on

Hack The Box - Networked

We are going to pwn Networked from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/203

Like always begin with our Nmap Scan.

Nmap Scan Results

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https


PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.18 (91%), Linux 3.2 - 4.9 (91%), Linux 3.16 (90%), Linux 4.4 (90%), Crestron XPanel control system (89%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (89%), Linux 3.11 - 3.12 (89%), HP P2000 G3 NAS device (89%), Linux 3.13 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

HTTP Enumeration

Lets Begin with HTTP

Looks like a normal webpage , run our Gobuster to get any useful directories.

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.146
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/01/03 09:31:00 Starting gobuster
===============================================================
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/backup (Status: 301)
/cgi-bin/ (Status: 403)
/index.php (Status: 200)
/uploads (Status: 301)
===============================================================
2020/01/03 09:33:22 Finished
===============================================================

While Checking /backup found backup.tarbr/

So I dowloaded it to my machine , to see whats inside.br/ br/ It has some php file maybe webpages of the machine

While seeing the code upload.php as some filter process. It accepts only jpg,png,gif,jpeg.br/

File Upload Vulnerability

Upload.phpbr/

photos.phpbr/ Looks like we can view uploaded files in photos.php.

So I created my payload br/ br/ By adding GIF89 on the first it makes the payload as .gif br/

I uploaded my payload in upload.phpbr/

Started my listener and reloaded photos.phpbr/ br/ I got the shell!!

Getting User Shell

While Checking Home directory there is a file called check_attack.phpbr/

While reading it I came to know it executes nohup

nohup - run a command immune to hangups, with output to a non-tty

And nohup do force rm all files(value)inthefolder(value) in the folder (path).

rm - remove files or directories
-f - force

The path is defined as var/www/html/uploads. So we need to hijack it.

I created a file that hold payload in its name. By using semicolon in the beginning it makes the nohup to end after it rm and then exec nc.

Started my listener

I got the user shell!!

Privilege Escalation

As always I started with sudo -l

We can run changename.sh as root without password. So I tested to see how it works.

br/ It Looks like some network-scripts

While searching I got this

https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f

By doing so I injected /bin/bash with NAME And I got the Root Shell