Networked | Hackthebox write up

Featured image

Brought to you by

Spenge @hackthebox.eu

@SpengeSec on twitter

Start by editing /etc/hosts

Like always we add the IP of the box to our hosts file as (possible) domain networked.htb

Using sudo nano /etc/hosts

img

And saving with ctrl + o followed by ctrl + x to exit nano.

NMAP ~ Enumeration

To begin enumerating i start off with a nmap scan on the target. I’ve gotten a bash script that automates scanning, which comes in very handy if you’re taking the OSCP exam. In all the write ups ill be using this script.
But a nmap -p- -sT -sV -sC -oN initial-scan luke.htb, gobuster & nikito will be sufficient too.
You can find the script i use here: click

img

Since we used the enumeration script, it also did a nikto scan for enumeration.
This resulted in finding the /backup/ directory.
Backup.tar has been found!

Inside of this directory we found and had access to download the following: img

Upon extraction we were greeted with a backup of source code used on this webserver.

img

Exploitation ~ Gaining foothold

After reading the upload.php source code, I knew the upload system could be manipulated to accept other files than just image files. I could use this to upload a reverse shell.

img So I quickly crafted a .php reverse shell, but on top I placed the image code: GIF89a;

img

This uploaded without any issue, the message were greeted with is to ‘refresh the gallery’ and we know there is a photos.php file, so I quickly navigated there.

img

This was our reverse shell! I had started a netcat listener using nc -lnvp 9999 before navigating to this page, and got a connection back!

img Upon doing a ‘whoami’ we can see we currently are authenticated as the ‘apache’ user.

This is a low privilege user, and we should find a way to gain access with more privileges. img

Gaining access as user ‘Guly’

As you can see, we don’t have the rights to cat this user.txt file inside /home/guly/ lets find a way to escape. We can see there’s a crontab job running, and an interesting file ‘check_attack.php’ I went to analyze this .php file and found the following:

img The check_attack.php file has a $path variable set, pointing to /var/www/html/uploads. Our reverse shell was uploaded to this directory, and thus we have execute rights in this folder and can write to it. We can manipulate the index.html to include a command, and this would be executed duo to the check_attack.php file and its cronjob.

imgWe set up a netcat listener on port 9998, and now all we do is wait for the cronjob to be executed. img We now have user access and should be able to read the user.txt file without any issue! img

Gaining Root access

As always after gaining access to a new user, we should begin enumerating.
Upon inserting ‘sudo -l’ we can see that we are authorized to execute something as sudo, without having to input the sudo password! img So lets investigate this file, and what it does. img As we can see, the variables NAME, PROXY_METHOD, BROWSER_ONLY,BOOTPROTO… must match the regex highlighted above. So we can try and manipulate these input fields to execute a shell of ours. First I went ahead and crafted another reverse shell on port 9997, and set up a nc listener on my host machine. img Followed by a chmod +x /tmp/shell to gain execution rights on this file. I then went ahead and used the ‘sh’ command to execute the contents of this file as if it were typed inside of the terminal. img And we’re greeted with a shell on our listener! img Now all there is to do, is quickly navigate to /root and grab the root.txt flag! img