HackTheBox Writeup — Networked

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” . Also join me on discord.

The IP of this box is 10.10.10.146

Port Scan

Running masscan on it , we get

Running NMAP against these open ports , we get

Port 22 running OpenSSH 7.4 and Port 80 running Apache httpd 2.4.6

Moving to the Web Part

Port 80 — Web Part

Checking the IP on the web browser

A message on the main webpage which is a reference to Facebook, checking the source code

Nothing much interesting just a message of upload and gallery directory not linked

Running Gobuster against the target

Few results from the directory bruteforcing, checking the the /uploads directory

Nothing much interesting here, moving onto the /backup directory

A file named backup.tar listed in the directory, downloading the file to our box

The file is a tar archive, extracting files from it we get 4 php files, so we first try to access these php files through web

The upload.php file has a file upload functionality, looking to its source code

From the source code we can see that it only accepts jpg, png, gif, jpeg files only for upload, we can confirm it too by upload some other file

Returned with an invalid image file message, when uploading an image file

The file gets uploaded successfully, from the extracted php files we saw a php file named photo.php , trying to access that from the web

We see that our uploaded image is displayed here with the name of the file changed after the upload, looking forward to the file in the /uploads directory

Our uploaded file is here, now moving onto bypassing the file upload restrictions

For this we use Burp Repeater to do the stuffs for our ease

Adding the .jpg extension at the end of the php file along with the GIF string at the beginning of the contents of our code helps us bypass the restriction

Our uploaded file also appears in the photos.php web page with the name of the file, from here we can access the file through the /uploads directory

We only see the GIF string which we provided, now trying to get code exection through our parameter

Our code execution is successful here, also we can see the contents properly if we view the source

Now moving onto getting reverse shell

Using the bash one liner reverse shell command and moving onto the netcat listener

We got reverse shell successfully, moving onto getting the user flag

We cant access the user flag as we dont have permissions, looking onto more files and folders on the current home directory

There is a file name crontab.guly, looking the contents of it we see that it is stating that a cronjob is running the file check_attack.php, looking the source code of the php file

We see that it runs the php exec() function on the /var/www/html/uploads folder, so we will make a folder with the name of our netcat listener command which will result in a code exection

Our command looks like the above, checking the netcat listener after few minutes

We got another reverse connection successfully as Guly user, now accessing the User Flag

We can access it, now moving onto priv esc part

Privilege Escalation

Running the sudo -l command

We can run sudo as root on on the file changename.sh, looking at its content

We see that it will prompt us for interfaces and here we can escape it using spaces and run our bash command

As we can see we got root shell , now moving onto getting the root flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover