3 min to read
Networked | Hackthebox write up
Brought to you by
@SpengeSec on twitter
Start by editing /etc/hosts
Like always we add the IP of the box to our hosts file as (possible) domain networked.htb
Using sudo nano /etc/hosts
And saving with ctrl + o followed by ctrl + x to exit nano.
NMAP ~ Enumeration
To begin enumerating i start off with a nmap scan on the target. I’ve gotten a bash script that automates scanning, which comes in very handy if you’re taking the OSCP exam. In all the write ups ill be using this script.
But a nmap -p- -sT -sV -sC -oN initial-scan luke.htb, gobuster & nikito will be sufficient too.
You can find the script i use here: click
Since we used the enumeration script, it also did a nikto scan for enumeration.
This resulted in finding the /backup/ directory.
Backup.tar has been found!
Inside of this directory we found and had access to download the following:
Upon extraction we were greeted with a backup of source code used on this webserver.
Exploitation ~ Gaining foothold
After reading the upload.php source code, I knew the upload system could be manipulated to accept other files than just image files. I could use this to upload a reverse shell.
So I quickly crafted a .php reverse shell, but on top I placed the image code: GIF89a;
This uploaded without any issue, the message were greeted with is to ‘refresh the gallery’ and we know there is a photos.php file, so I quickly navigated there.
This was our reverse shell! I had started a netcat listener using nc -lnvp 9999 before navigating to this page, and got a connection back!
Upon doing a ‘whoami’ we can see we currently are authenticated as the ‘apache’ user.
This is a low privilege user, and we should find a way to gain access with more privileges.
Gaining access as user ‘Guly’
As you can see, we don’t have the rights to cat this user.txt file inside /home/guly/ lets find a way to escape. We can see there’s a crontab job running, and an interesting file ‘check_attack.php’ I went to analyze this .php file and found the following:
The check_attack.php file has a $path variable set, pointing to /var/www/html/uploads. Our reverse shell was uploaded to this directory, and thus we have execute rights in this folder and can write to it. We can manipulate the index.html to include a command, and this would be executed duo to the check_attack.php file and its cronjob.
We set up a netcat listener on port 9998, and now all we do is wait for the cronjob to be executed. We now have user access and should be able to read the user.txt file without any issue!
Gaining Root access
As always after gaining access to a new user, we should begin enumerating.
Upon inserting ‘sudo -l’ we can see that we are authorized to execute something as sudo, without having to input the sudo password! So lets investigate this file, and what it does. As we can see, the variables NAME, PROXY_METHOD, BROWSER_ONLY,BOOTPROTO… must match the regex highlighted above. So we can try and manipulate these input fields to execute a shell of ours. First I went ahead and crafted another reverse shell on port 9997, and set up a nc listener on my host machine. Followed by a chmod +x /tmp/shell to gain execution rights on this file. I then went ahead and used the ‘sh’ command to execute the contents of this file as if it were typed inside of the terminal. And we’re greeted with a shell on our listener! Now all there is to do, is quickly navigate to /root and grab the root.txt flag!