We are going to pwn Networked from Hack The Box.
Like always begin with our Nmap Scan.
Nmap Scan Results
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp closed https PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA) | 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA) |_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519) 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 443/tcp closed https Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.18 (91%), Linux 3.2 - 4.9 (91%), Linux 3.16 (90%), Linux 4.4 (90%), Crestron XPanel control system (89%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (89%), Linux 3.11 - 3.12 (89%), HP P2000 G3 NAS device (89%), Linux 3.13 (88%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops
Lets Begin with HTTP
Looks like a normal webpage , run our Gobuster to get any useful directories.
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.146 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/01/03 09:31:00 Starting gobuster =============================================================== /.htpasswd (Status: 403) /.hta (Status: 403) /.htaccess (Status: 403) /backup (Status: 301) /cgi-bin/ (Status: 403) /index.php (Status: 200) /uploads (Status: 301) =============================================================== 2020/01/03 09:33:22 Finished ===============================================================
So I dowloaded it to my machine , to see whats inside.
It has some
php file maybe webpages of the machine
While seeing the code
upload.php as some filter process. It accepts only jpg,png,gif,jpeg.
File Upload Vulnerability
Looks like we can view uploaded files in
So I created my payload
GIF89 on the first it makes the payload as
I uploaded my payload in
Started my listener and reloaded
I got the shell!!
Getting User Shell
While Checking Home directory there is a file called
While reading it I came to know it executes
nohup - run a command immune to hangups, with output to a non-tty
nohup do force
rm all files($value) in the folder ($path).
rm - remove files or directories -f - force
The path is defined as
So we need to hijack it.
I created a file that hold payload in its name. By using semicolon in the beginning it makes the
nohup to end after it
rm and then exec
Started my listener
I got the user shell!!
As always I started with
We can run
changename.sh as root without password.
So I tested to see how it works.
It Looks like some network-scripts
While searching I got this
By doing so I injected
And I got the Root Shell