Hackthebox - Updown
Last updated
Last updated
Linux
When we go to http://10.10.11.177/ we land here
Seems like we'll have some fun ^^
Let's add this in /etc/hosts first 10.10.11.177 siteisup.htb
Let's add the subdomain in our hosts we get a 403 here
/dev is a blank page. Let's try to run gobuster in it
Let's also try to dir bust the subdomain dev. So not possible because of the status code
Ok now let's do what I was tempted to do since I saw the landig page
python3 -m http.server 80
In the browser let's try to see if we can interact this way and enter http://10.10.14.10/test in the form
So we should try to get files or inject command or see what open port we have using this technique
We can fuzz for open ports with burp intruder
In the payloads tab we choose number. And start from 1 to 65535 with a step of 1.
If you do not have the pro version of burp the best way would be to use another tool because community version might be slow for this.
Let's see our results. So it was worth trying but besides port 80 we do not have anything
This article on Hacktricks is interesting to see how we could process with this
wget -r http://siteisup.htb/dev/.git/
then we can use git diff go in the dev directory and run git diff > diff.txt this way you can look and grep and really analyze the file
It is worth having a look at the git documentation to see useful git commands
Other interesting commands are the git log we will have the commit history and git show <commit-id> to have more info on a specific commit
This commit is really interesting
With this commit we know that in order to access the .htpasswd we need this header in the request Special-Dev: only4dev and our Ip should be 127.0.0.1. We alse need a valid pair of credentials
This one is also interesting
Let's try to add the new header everywhere and see what we get
To do so in burpsuite this article is really helpful
So here is what it looks like in my Burp
So let's try to navigate to http://dev.siteisup.htb/
We have access to a new page, with a file upload functionality
The admin panel link and the changelog do not give anything
I tried a php file and it is doing some checks.
Maybe there is a way to have a look at the code using the git we found. This way we can see how to bypass this restriction.
Ok let's try the tool git dumper mentioned in hacktricks
python3 -m venv git-dumper I prefer to install it in a venv so that I do not mess up my local python
source git-dumper/bin/activate we activate the env
pip install git-dumper we install in in the env
git-dumper http://siteisup.htb/dev/.git/ dumpedsite
So now we can see some php file. the index is not where the extension is verified but the checker seems interesting. This function is the one that is of interest for us
Very convenient once our file is uploaded we will even know where to fetch it (http://dev.siteisup.htb/uploads/). However it will also delete the file so we have to be quick.
php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i here are the file not allowed. This article on hacktricks has nice information on how to bypass these protections
It mentions phtm which is not in the list. Let's try it. We can upload it.
The best way I can think of to gain time is to put a big url list in the file and add our payload at the end of this list
Also be careful to put too many url at the begining because the file limit is 10kb
phtm does not get interpreted let's try another one in hacktricks there is also .phar. Let's try it
It seems like what is failing me is not the extention but the php file I am using.
Let's try another php shell. We get a shell as www-data
We need to move to the user developer (we know the user is called developer with ls /home) because we can not read the user flag now.
Let's upgrade the shell first python3 -c 'import pty;pty.spawn("/bin/bash")'
Here is the full process
In the developer home we can not cat the user we do have access to the python file that processes the websites to see if they are up
If we make a file on siteisup here is what we have
It has the suid bit set. If we launch it we have a prompt to put an url
This is launch as the user developer so this how we could move to this user. We could try to inject code and get files. When enumering the home of developer there was an ssh folder that we had a permission denied on. We could try to get an ssh key from here. This article explains how to execute os commands in python.
Let's try this __import__('os').system('cat /home/developer/.ssh/id_rsa') id_rsa is the default name for a private ssh key let's hope it will work in our case.
We get the private key!!
So now we just need to copy it and paste it in our machine, then we will just have to change the rights and ssh -i as developer. Let's try this!
It works
We can grab the user flag
First thing I usually do in linux when I have a user is sudo -l and here we get this interesting output:
With some research we find out that easy_install is deprecated. And we can find it on the one and only GTFOBINS
Let's try this
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF
It works
We can get the root flag!
And it works our server get an interaction from the target
Ok what happens if we request for something that exist like if I just ask for http://10.10.14.10/ or http://127.0.0.1:80/
We send our request to the intruder we postiton our payload in the port number like this
Let's grep is up. so in options grep match we delete the table and add our string
Let's check the git folder we found
