# Hack The Box - Networked

## Quick Summary

Hey guys, today Networked retired and here’s my write-up about it. It was a quick fun machine with an RCE vulnerability and a couple of command injection vulnerabilities. It’s a Linux box and its ip is 10.10.10.146, I added it to /etc/hosts as networked.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services:

We got ssh on port 22 and http on port 80, let’s check the web service.

## Web Enumeration

The index page had nothing except for this message:

So I ran gobuster to check for sub directories and I found 2 interesting directories, /uploads and /backup:

In /backup I found a tar archive that had a backup of all the site’s pages:

index.php:

lib.php:

photos.php:

upload.php:

/upload.php:

/photos.php:

## RCE –> Shell as apache

We can use upload.php to upload images then we can view them through photos.php or /uploads/image_name. For some time I tried to bypass the extension filter in upload.php to upload php files but I wasn’t able to bypass it. However I could get RCE by injecting php code in the uploaded images.
I got a solid black image and called it original.png, let’s upload it:

Now let’s copy that image and inject some php code into the new image:

I injected <?php passthru("whoami"); ?> which should execute whoami, let’s test it:

Now if we view the file from /uploads we won’t get the image, we’ll get the binary data of the image and the result of the executed php code at the end:

whoami got executed successfully and we’re the user apache.
I created another one to get a reverse shell:

And I got a shell as apache:

## Command Injection in check_attack.php –> Shell as guly –> User Flag

First thing I did after getting a shell was to make it stable:

Then I started to enumerate the box, there was only one user on the box called guly:

We can’t read the flag as apache, but there are some other interesting readable stuff, crontab.guly shows that /home/guly/check_attack.php gets executed as guly every 3 minutes:

check_attack.php:

This script checks for files that aren’t supposed to be in the uploads directory and deletes them, the interesting part is how it deletes the files, it appends the file name to the rm command without any filtering which makes it vulnerable to command injection:

$path is the path of the uploads directory: And $value is the suspicious file’s name.
We can simply go to /var/www/html/uploads and create a file that holds the payload in its name. The name will start with a semicolon ; (to inject the new command) then the reverse shell command.

After some time I got a shell as guly:

We owned user.

## Command Injection in the Network Script Name –> Root Shell –> Root Flag

As guly I checked sudo -l and found that guly can run /usr/local/sbin/changename.sh as root without a password:

changename.sh:

This script simply creates a network script for an interface called guly then activates that interface. It asks the user for these options: NAME, PROXY_METHOD, BROWSER_ONLY, BOOTPROTO.

We’re only interested in the NAME option because according to this page we can inject commands in the interface name. Let’s try to execute bash:

And we got a root shell.

We owned root !
That’s it , Feedback is appreciated !
Don’t forget to read the previous write-ups , Tweet about the write-up if you liked it , follow on twitter @Ahm3d_H3sham
Thanks for reading.

Previous Hack The Box write-up : Hack The Box - Jarvis
Next Hack The Box write-up : Hack The Box - Chainsaw