Today we’re going to solve another CTF machine “Haircut”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, HTTP
  • IP Address: 10.10.10.24
  • Difficulty: Easy

Weakness

  • Curl Command
  • SUID Screen 4.5

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

We just found these two ports opened after doing intense scan for TCP and UDP port scanning. So what do we next is enumerate running services.

Enumerate Directories 

There’s different tools for directories enumerating but my favorite one is dirbuster.

Using lowercase medium wordlist we found and exposed.php file and upload directory.

Let’s take a look at exposed.php file.

There’s a input field where you can enter URL and press go let’s take a look what it dose.

Let’s take a look at the request and response in burp suite.

Request

Response

I know that it is running curl command because of the structure of the response. But it also hints about curl inside carrie,jpg picture where it says CARRIE CURL.

We know what curl can do 🙂

Exploitation

We can use curl to upload our shell inside uploads directory which we found during enumerating directories.

Let’s create a php reverse shell 1337.php

1337.php

https://gist.github.com/sente/4dbb2b7bdda2647ba80b

Now we have to run python HTTP server to upload our 1337.php file through curl.

Now we have to upload our shell inside upload directory. Since we know the default apache path /var/www/html/uploads let’s use curl parameter -o to output file 1337.php inside uploads directory.

Request

Now our php shell is successfully uploaded inside uploads directory.

Let’s access our shell through browser or burp.

Request 1337.php?cmd=ls

Response

Now it’s time to get proper reverse shell using netcat.

And we got shell.

Privilege Escalation

After getting user access we move forward by running some scripts which help us to go through some important information which can lead to root.

Before running scripts i do some manual research and testing so this time i found an uncommon SUID file.

The first thing i did is ran this command.

And found this uncommon file /usr/bin/screen-4.5.0 which we don’t see here. Upon doing google search we found an exploit.

GCC is broken on target machine so we have to compile them locally.

let’s compile.

Let’s upload compiled c programs to our targeted machine inside /tmp.

Let’s move further.