# Haircut

## Haircut - 10.10.10.24

### Target Enumeration:

OS: Linux

IP: 10.10.10.24

### Vulnerability Exploited:

Poorly configured php file located at exposed.php allows user to output files to uploads directory and call them via the web browser to gain a low privilege shell.

### Privilege Escalation Vulnerability:

GNU Screen 4.5.0 - Local Privilege Escalation

<https://www.exploit-db.com/exploits/41154/>

### Replicating the exploit:

Nmap results

![](https://lh4.googleusercontent.com/BowRH_S6HIIbhRHlUYpRm8oU9VhjW4m0u_1nmGOElG5h3qI_Bq9g5ZeSjEq3PI7Kq65dOG_vvyb7xphWbx_RZ2MePMWU0nxirOmZvVVpvTn8c4Z_fq44UBf9_CZlU7G3HoUeAooN)

UDP results

![](https://lh5.googleusercontent.com/dhzR6_vwz9E0HitUmlqhdS6nf8CnMb-6lwhFY66Lzuu2pZPjdGuQNBJBdomBu6lk14xxv7K7yJyDJ1IjOBtErs1Q17pB2qA6hErU2mtL__5oI_nQvK2inmGkZdoXoekc9TgViRiW)

Nikto results

![](https://lh6.googleusercontent.com/7Z1oka2m-c0f92rRjvBgsIPexhJh1Zg85phTmByuGB5zrq6c19z3_WC8R9NaUEPQGVrLl1E7EawEIgxJfpG5y4PI8UV0DqHPPk2XZxV1PckglgBx7BazwYoNdgF95TPHaRBTyUEx)

Homepage of web application

<div align="left"><img src="https://lh6.googleusercontent.com/vwMpPPsOXVsJztff_ktI84VAGMUh-llYwYb-wa6B3X5QiualT9t10_M0RTm7Cko6QMxSGQs2DsIzoOHRIr7rcjRnP8GBifblGr89B5xSbI-U_2H-B_7MjvpcbaX6NTtUIVRz58Z-" alt=""></div>

Test.html found by nikto:

![](https://lh3.googleusercontent.com/VMmr8sKFkdiKZ8tKrLtPvbJzNRgJpDu5HHUB8MAxda7ZyH5y2hVzj_DrP-uT_ofgPNl7JKf9NtE4jS-tedrZfA3SG6twlyGKqWPYWWI09P3hItf3QjAOOeN_vsDnPfWE2sINVS-r)

/Uploads

<div align="left"><img src="https://lh3.googleusercontent.com/9U7dOz32fvC9YXoreQhHmppzBMjHLVPClehtVuEqgKcXUGiy0EWijAiiVw3JrJ42r65ApRJAIK8vPr53e8GklvuMOAoZ9_iVX6h8PC3UXSeLOSWKr2MmAkLJ75HKh4x0qX8kI3cC" alt=""></div>

Searchsploit found nothing

Dirbuster found exposed.php

![](https://lh5.googleusercontent.com/fxZnChS21Do1_MlbzXGJQ8yUwPwgLTP8sEir1Ulhr3H3ubCIcD7mPydSCI8cS11Wgmla1eMw6OwBVBst9twWs1k9wI-Y3MICZvP0py7WlCyv39vKCEr8LylAFpCywTUrLApAXT1j)

Looks like it uses curl to get the files so command injection may be possible to get a reverse shell.

![](https://lh4.googleusercontent.com/uRynT2W-mcCf-mFxiabLBkseagR7BBPKT_Oy6rqvarnVGPMc0zD0jc0z44IroFVSLRDRXdR-xxW_6vSMgzkWasyDnmG4F35mSKZC88XbaPT-kfEG_xESB0d8P5cyd6xPx7eMygco)

Command injection did not work so tried to output my rev shell to a file in /uploads as dirbuster found.

![](https://lh3.googleusercontent.com/TTbPLSs34HWYcYAaVO53Qb6Eq0nwWVCiY7U8pzKHvDeyw_BdrcIInEX75MSdd-gbkKEZ81tnXgDbHdAkJI8dKCs7TmrRnI1dIz_L6nHJPsRDXYGyEDUFmWUwSifsWxH21i9kjEls)

Requesting the file gave me a low priv user as www-data.

<div align="left"><img src="https://lh4.googleusercontent.com/MTLjk304yGqBeX7hjG_7NwuNbrXV52TC3c0w1mtvpSFVnqT2ugOv-RYYbxnH2PMpSd9bS6exysmveftuwzMoOEm62Y2MJ6B0f0I9IDYBTYqIWF6hJ5FsC-Ryc03ULstsONPNIcGG" alt=""></div>

User.txt : 0b0da2af50e9ab7c81a6ec2c562afeae

<div align="left"><img src="https://lh4.googleusercontent.com/gqD1Aq1aW-QW98rDCnmV_F98xSKPtV2oN50WKOjmcAsOlfOfMrC4BEk6HBVo5JtCA2OJ16DcSrbzFNqoOxHWb_8UAFck3JPrF7aSs-HT-j0X0x3APD9dQh_5EaF5SdxCOWGf2tOm" alt=""></div>

Now we need a stable shell

Navigate to /dev/shm

python3 -c 'import pty;pty.spawn("/bin/bash")’

^Z

stty raw -echo

Fg

Run privchecker scripts found nothing

Suid search gives version of screen

![](https://lh4.googleusercontent.com/7xuQkDdQciGxtt7usv21FryKzR8c2nY1SnXIDVgrvEMHom3QFW6O159GgPTdGa-H_11SaQMFZK9TfgJo2LWMuZjltmduwEpg4t__zLw82hMbF_p6a21Fxt_3pzyjL4EUARyk_IpF)

Searchsploit results:

![](https://lh6.googleusercontent.com/c8PczBEWmCOSLTYJJ2NW-pOlicOqXOgvGSX_8Vtaxg9Y-t7qSFEc5E7f58OGJX4ui0zFJJzt_f8e_LDqtL-tVEQS-fhm98XQou7xR0nrJMKoy18daxOoIlTx0vRNAg12luqH8Hql)

Review of the exploit

<div align="left"><img src="https://lh5.googleusercontent.com/oy3wNOC_ubCnYf4fq53EnMl0RBFjPuR5sVZW930w07ZHGAko9MRqNTEiAyeikiOPFG55hUI9jG4HPVt7mmMakGkBKn7Vfe_VOOSY9VDh9WEZHwhfs4pxtphu9fyEu1UpAu-jfDhJ" alt=""></div>

Best to compile manually and locally so create rootshell.c

![](https://lh3.googleusercontent.com/XLP94wHtiVmSjRG3Td4oX7RJXfA9Xv-FYcXQkFCaGxNWIoQ-852XIi2-r82XtmD68VNzeZCuRDZzHLnKG1XRUsSBb0ffxCWwoe1SYm_8ejucXPcWNqB9rsjZRMDb4jX6ouG2pX8h)

Compile

<div align="left"><img src="https://lh5.googleusercontent.com/BYIVIvv41FxIhMvLK4RjaZBYFBGPKENQDBTYsQUi7Qee1ViTTviDUcyIHc-ajEKzNJrFq73DfEnQYKwGEtUWE6vm43Fbu6PDWNWXnHWWRIU9XyShsBBKigBuGIEy_BKbKK8AoApM" alt=""></div>

Create libhax.c

![](https://lh6.googleusercontent.com/t9S3QLGdp9PZKMews7TzxGESUFAT3q08Ygd07qigPz65nZUMT1sAB7k9Xj5Xh9E2OnSd8-zFXIqrkkuzy7_QZxnOqE9EjW7gc6H4kzEPpsHvFUp2nFGBU-F3v5EvBHppKvqPzYrr)

Compile

![](https://lh6.googleusercontent.com/_BhfnPSt14qwNyZ6X9UXpIUPpjDf5lZ6PVSMldpD5gwy7yp7qEi1J8_Bs0fbRBgPSQkCKSjmKv2naXRcd1OiMXDhCCc-ZPR9wtYW83UFk4mQeRRTGCPsh-2-zbkBRK_ls8TXmsdI)

Upload to /tmp on haircut.

Navigate to /etc

Run the following commands to get root

![](https://lh3.googleusercontent.com/ijjztTYOQqKe7mrvf43PDxmHsx-YyLDMa3bueJB2LFROV5Hh0pDObmcX-Jsu4zoy4S_3QC0obAuy8KF0NL3vSPOAQH2OytuWmNnC_3WEbX9ZbSmCl-I6JtQnXL1u3SLgW7AWEKOZ)

NC listener on 444 should give you a root shell.

![](https://lh6.googleusercontent.com/VbQDx3YWRU98-ikwS9UROzjeX-7CdE8tI4CJ5Xl8YB4QWa3_YYzXT_PrvJsHVocDAYeHAsPX8KlQ-LOEvgw4FGW_TI0SagpjqY9MSa3Jeaw66IBaKfcPmrsRHoAbwyO7Ttah6bkX)

root.txt 4cfa26d84b2220826a07f0697dc72151<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/haircut.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.