Always stay close to what keeps you feeling alive!
Networked is an easy difficulty machine running Linux. It tests your knowledge in PHP and basic privilege escalation. Without some knowledge of PHP you may find this machine a bit challenging.
Be sure to checkout the Basic Setup section before you get started.
Like always, enumeration is our first port of call. Let’s take a look at the machine and see what we are dealing with.
First let’s use my “advanced” portscan script to find open ports:
As we can see from our port scan we have ssh open on port 22 and http open on port 80. Since at this point we have no username and password we will leave ssh and go for http. Navigating to the site we are greeted with with following page:
Nothing to look at. No links to have a navigate around. Taking a look at the source we see a comment: <!-- upload and gallery not yet linked -->. Seems like there are some directories for us to find.
We will use gobuster to bruteforce any interesting directories that may be of use to us:
Here we go! Something for us to work with. Straight off the mark we see two folders of interest. A backup folder which with any luck will have some backups with juicy info for us to bite our teeth in to and an uploads folder. Which means that there is most likely some way to upload files to the machine.
Let’s take a look and see what we can find.
Navigating to http://networked.htb/backup/ gives us an index listing:
Nice! We have a backup it seems.
Lets download and extract it’s contents to see what we have:
So here we have four files. We can see these files in the root directory of the site.
We have the index.php that we saw earlier.
A file called library.php which is blank (most likely due to there being no php output or html).
Another file called photos.php that is a photo gallery where the images seemed to be named using an IP address:
Then theres the upload.php file which confirms that we will most likely be able to upload a file and hopefully a payload:
Since we have all the files let’s investigate them further to see what types of files we can upload and how the upload form functions.
Ok so literally just some html nothing exciting. Let’s move along.
This file is a lot more interesting. This is obviously a “library” of functions, hence the name. Let’s checkout how they are being used in upload.php.
Let’s try and decipher what’s going on.
I have added three parts together for clarity below.
First off we see that there is an if() statement to check the filetype using the function check_file_type(). Essentially the if() statement is saying “If the check_file_type() function returns false display the upload form with an error message. Otherwise if the check_file_type() function returns true move on to the next statement”:
Taking a look at the check_file_type() function in lib.php we see that the output of the file_mime_type() function is placed in to the variable $mime_type. The file_mime_type() function is quite self explanatory as it is getting the files mime type.
However, the important takeaway here is that it is actually “processing” the image to get the mime type so simply changing the file extension won’t work here.
The $mime_type variable is then checked to see if it contains the mime type image/. If it does then the output of the check_file_type() function will be true otherwise it will be false.
From this information we can gather that our image needs to contain our payload.
Download one of the .png images from http://networked.htb/photos.php and save as payload.png. We will then use exiftool to inject PHP code in to the image metadata input of Document Name like so:
Be sure to change <attacker-ip>.
Then we will rename our file adding .php like so: payload.php.png.
We then setup our Netcat listener on our attacker machine:
Now let’s try uploading the file to the server and executing it by navigating to http://networked.htb/photos.php.
As we can see we are the user apache and if we use the command pwd our current working directory is /var/www/html/uploads. If we go to our home folder with the command cd ~ we see that our home directory path is /usr/share/httpd. If we check this location with ls -l we see that there is no user.txt file.
Having a look at the /home directory we see the user guly:
We will most likely need to gain access to this account.
Taking note of the guly directory permissions we see that we should be able to view the contents.
Let’s take a peek:
Here we see three files one of which is our user.txt ready to be taken.
Let’s have a look at the contents of check_attack.php:
Simplistically the script is creating a list of filenames from the uploads directory and seeing if the names have the IP address like we saw in the photo gallery earlier. If this check fails the script deletes the file.
Taking a look at this check we see something interesting:
The script is using the PHPexec() function to delete the file using the rm command:
The interesting thing about this is the $value variable which would be the filename.
Thinking about how the Linux commandline works we should be able to attach our own command like so: ;<command>
Taking a quick look at crontab.guly we see that check_attack.php is run at every 3rd minute:
Now that we have found our exploit let’s try it out.
Once again let’s setup our Netcat listener:
And then create our file/command ensuring we are at the path /var/www/html/uploads:
After a few minutes we should receive a connection:
We have our user.txt flag! Once again we can upgrade our shell if we wish. Now on to root.
First things first. Let’s check to see if we have any sudo rights:
Ok so we can use sudo with the script changename.sh.
Let’s check it out:
From taking a look at this script we see that when it is run we are asked for some inputs. The inputs we enter are then added to /etc/sysconfig/network-scripts/ifcfg-guly.
Let’s run the script to confirm this is the case entering in random inputs:
And then check to see if our inputs are in ifcfg-guly:
So far so good. Let’s check our operating system so we can search for some vulnerabilities relating to ifcfg:
So networked is running CentOS 7. A quick search term of centos 7 ifcfg vuln reveals a potential exploit.
Let’s run our script again this time inputting the command we want to run in the NAME= input:
And just like that we have the root.txt flag. Congrats on another box rooted!
The initial foothold shows that there can be major issues with allowing users to upload files via PHP scripts. Secure coding practices should always be at the forefront of the development process. Although these issues can be avoided they are still seen in the real world. As for the privilege escalation? It could have easily been avoided by ensuring sudo requires a password.