Updown - Hackthebox - OSCP Prep TJ Nulls
5UpDown is a medium difficulty Linux machine with SSH and Apache servers exposed. On the Apache server a web application is featured that allows users to check if a webpage is up. A directory named .git is identified on the server and can be downloaded to reveal the source code of the dev subdomain running on the target, which can only be accessed with a special HTTP header. Furthermore, the subdomain allows files to be uploaded, leading to remote code execution using the phar:// PHP wrapper. The Pivot consists of injecting code into a SUID Python script and obtaining a shell as the developer user, who may run easy_install with Sudo , without a password. This can be leveraged by creating a malicious python script and running easy_install on it, as the elevated privileges are not dropped, allowing us to maintain access as root .
Skills Required
Web Enumeration
Local Git repository hacking
PHP File Inclusion
------------------
Skills Learned
HTTP Header modification
PHP Local File Inclusion Firewall bypass
Exploiting SUID binaries
------------------
Tools
manual enumeration
vhost enumeration
directory enumeration / directory brute forcing
burpsuite header manipulation
minor php programming
minor python programming
python exploit knowledge specifically around python2 input vulnerabilities
gobuster
ffuf
obsidian
gtfobins easy_install
------------------
My Certifications:
Practical Network Penetration Tester (PNPT) : TCM Security - https://certifications.tcm-sec.com/pnpt/
Practical Junior Penetration Tester (PJPT): TCM Security - https://certifications.tcm-sec.com/pjpt/
Practical Junior Web Tester (PJWT): TCM Security - https://certifications.tcm-sec.com/pjwt/
Certified Ethical Hacker (CEH): EC-Council
--------------------
Socials:
Tryhackme: https://tryhackme.com/p/NoxLumens
Hackthebox: https://app.hackthebox.com/profile/179139
Twitch: https://twitch.tv/noxlumens