Networked - Hack The Box
Enumeration
Nmap
Initial nmap scan revealed HTTP and SSH ports were open.
Website
I visited the website and found out it was an empty website.
Thus, using the gobuster I applied directory brute forcing and found some valid enpoints.
The backup endpoint included a tar file.
Analyze Backup Files
This backup folder included php files of the website. So at first, I analyzed the upload.php file, and lib.php file.
As you see, to upload a file below steps are executed:
- Script checks the file length, file mime type (image/…), file magic bytes and finally checks file extension.
- If it is an image file, it gets the client IP for example 10.10.16.6 then replaces dots with _ and concats with extension. And puts it to /var/www/html/uploads/ file. So if I upload file named test.png it will be named 10_10_16_6.png under uploads folder.
Exploitation
File Upload
After that I tried null byte %00 escape but it did not work. Later, I found out that if apache server is misconfigured it can interpret double extensions as PHP. So if I upload test.php.png it will be executed as php. This Acunetix blog explains it in detail.
Then I uploaded a PHP reverse shell with specified format.
Then visiting the page got me a reverse shell as apache.
Lateral Movement
I could not read user flag. But on the user’s home page there was cron file which run a php file every 3 minutes.
As seen above, the php file checks uploads folder then directly concats the file name inside it to a bash command. So we can manipulate $value and inject a command. So I created a file named ‘nc
Then started a netcat listener and got a user shell.
Privilege Escalation
The user can run a script as sudo without password. And this script manipulates a network-script file.
So I searched “/etc/sysconfig/network-scripts/ifcfg privesc” and found a post named Redhat/CentOS root through network-scripts.
Applying the technique in this post got me the root shell.
Pwned
The machine was fully compromised.