PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open http nginx 1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser
|_http-server-header: nginx/1.10.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds
we can see
SSH operating
HTTP nginx 1.10.0
Let's checkout the web server
Lets run feroxbuster
we do find a couple of interesting directories
/exposed.php
when we hit the go button it looks like
Lets catch a request with burp and see if we can find anything interesting
the web app could very well be utilising a curl command, meaning we can alter the request and download a php shell onto the target hopefully
Lets use pentest monkey php reverse-shell and change the ip to our own in the script
lets start a nc listner
Lets start a python http server
in repeater lets see if we can get the curl command to download our shell.php Since we now there is a /uploads directory this seems like the perfect place to place our shell
Now if we navigate to /uploads/shell.php this will establish the call back to our listener and we have a shell on the system
Lets upgrade our shell
we can see within the /var/www/html the exposed.php code
and we indeed can see php it utilising the curl command among among utilising a black list of characters
Lets check the kernel version
results
nothing interesting
Lets see if we can find some SUID bits set
this seems like an interesting file to have SUID, after some googling we found an exploit which should create an /etc/ld.so.preload file pointing to a library thatt creates a setuid shell then calls screen again to trigger it
we can upload the exploit to our target machine
Now once i ran the exploit on the target we where given strange error, what ill do is break the exploit to 3 parts
Lets compile them, we are just following the original script
Now lets transfer tjhese files across
from the target machine, within the /tmp directory
once we have all the files compiled and on target we can execute them
well change directories into /etc , set the umask, and run screen
Now by this point, the ld.so.preload should have a reference to /tmp/libhax.so
Now we can access root by running the screen -ls command
Now ld.so.preload has been cleaned up
if we check the permissions for rootshell its now owned by root and SUID bit is set
now we just need to execute the binary and we have root
