Hacking
Github
Twitter
Search…
Hacking
Hacking, Bug Bounties & Penetration Testing
The Hacker Lab
Methodologies
Basic Buffer Overflow
Basic Internal Network test
Basic Mobile Testing guide
Basic Subdomain Enumeration guide
Guides
Build A Raspberry Pi Dropbox
Golang
Powershell / PowerView
Hack The Box last updated - 2019
Legacy
Devel
Optimum
Popcorn
Beep
Tenten
Arctic
Cronos
Grandpa
Granny
October
Lazy
Sneaky
Holiday
Blocky
Shrek
Blue
Joker
Europa
Haircut
Bank
SolidState
Mantis
Shocker
Tally
Sense
Jeeves
Stratosphere
Inception
Bashed
Fluxcapacitor
Canape
Rabbit
Chatterbox
Nibbles
Sunday
Aragog
Valentine
Silo
Olympus
Poison
Celestial
Waldo
Jerry
Access
Active
Netmon
Powered By
GitBook
Haircut
Haircut - 10.10.10.24
Target Enumeration:
OS: Linux
IP: 10.10.10.24
Vulnerability Exploited:
Poorly configured php file located at exposed.php allows user to output files to uploads directory and call them via the web browser to gain a low privilege shell.
Privilege Escalation Vulnerability:
GNU Screen 4.5.0 - Local Privilege Escalation
​
https://www.exploit-db.com/exploits/41154/
​
Replicating the exploit:
Nmap results
UDP results
Nikto results
Homepage of web application
Test.html found by nikto:
/Uploads
Searchsploit found nothing
Dirbuster found exposed.php
Looks like it uses curl to get the files so command injection may be possible to get a reverse shell.
Command injection did not work so tried to output my rev shell to a file in /uploads as dirbuster found.
Requesting the file gave me a low priv user as www-data.
User.txt : 0b0da2af50e9ab7c81a6ec2c562afeae
Now we need a stable shell
Navigate to /dev/shm
python3 -c 'import pty;pty.spawn("/bin/bash")’
^Z
stty raw -echo
Fg
Run privchecker scripts found nothing
Suid search gives version of screen
Searchsploit results:
Review of the exploit
Best to compile manually and locally so create rootshell.c
Compile
Create libhax.c
Compile
Upload to /tmp on haircut.
Navigate to /etc
Run the following commands to get root
NC listener on 444 should give you a root shell.
root.txt 4cfa26d84b2220826a07f0697dc72151
Hack The Box last updated - 2019 - Previous
Europa
Next - Hack The Box last updated - 2019
Bank
Last modified
3yr ago
Copy link
Contents
Haircut - 10.10.10.24
Target Enumeration:
Vulnerability Exploited:
Privilege Escalation Vulnerability:
Replicating the exploit: