Writeup of Networked From HackTheBox
Getting a Shell
We start of by running a simple nmap command. Revealing an open Port 80 serving http-requests.
The landing page itself doesn’t provide a lot of information, but looking at the source code, there seem to be some sites that aren’t linked here.
One dirbuster later we find a couple of pages, most notable is upload.php, which allows us to upload images, and the backup/ directory, which contains the PHP source code for all pages.
Looking at the source code, there are to be 2 parameters that are being checked during the file upload: the file-extension and the MIME type. The MIME type check requires a x-type of image/* and a valid image header/footer. This can be tricked using burp-Suite, all we have to do is grab an existing Image from the gallery try to re-upload and insert our PHP code in the middle of the file. The code inserted is the PHP webshell from OWASP, found here
User Access
We then use the webshell to execute netcat in order to get a shell that’s easier to work with. Now we have a shell as the http service allowing us to view most files and to write into the HTML folder. We now look through the home directory of the only user on this machine, called guly. In here, we find a cronjob executing the check_attack.php script every 3 minutes.
This script as a critical mistake found in the second command from the bottom. We see a rm shell command followed by 2 Variables. While the first Variable is fixedi, we can change the second one. All we have to do is to create a file using touch and name it ; [Our Command]. The command we choose is once again a netcat shell. Once the cronjob runs, we will obtain a user shell.
Root Access
The next step is to find a privilege escalation. This is often achieved by exploiting sudo privileges. In order to view our sudo privileges, we type sudo -l.
As we can see, guly is able to execute the changename.sh script. The script allows us to write into a network script and then executes it. The solution is quite simple: By adding a space to any of the lines, the following characters will be interpreted as a command and executed. More information on this can be found here
The script now executes /bin/bash leaving us with a root shell.