Hack The Box - UpDown (Medium) - Live Walkthrough

In this video, Tib3rius solves the medium rated "UpDown" challenge from Hack The Box.

The main website seems to have SSRF potential, but we also find a /dev directory on a web server and a .git directory inside that. Our SSRF attempts fail, and testing for an LFI results in a "WAF" alert. Using git-dumper we extract the repository and find some hidden files. By accident we stumble upon the dev subdomain which allows us to access the admin panel and find an LFI we can use, however PHP filter exploits fail for some reason. The dev subdomain allows us to upload files, and we can use this to execute PHP code via the LFI, except that most PHP extensions are banned. We eventually try .phar as the extension and it works, giving us a reverse shell. The privesc to root was a simple PYTHONPATH hijacking followed by using easy_install with sudo to trigger code execution.

0:00 - Introduction
0:19 - Setting up dnsmasq
2:00 - Running AutoRecon
3:52 - Finding a /dev directory and attempting directory busting on that.
5:31 - Finding a .git directory in /dev
6:16 - Testing out the potential SSRF first, getting a hit on our web server from a "siteisup.htb" UserAgent.
10:48 - Attempting PHP Remote File Inclusion but failing.
13:06 - Trying to use our SSRF as a port scanner but not finding anything other than port 80.
17:49 - Attempting to view local files (LFI) via the SSRF, triggering a "WAF".
19:20 - Extracting the .git directory we found earlier using git-dumper.
22:49 - Finding hidden upload functionality in the source code, seeing if it still exists on the app.
24:32 - In the .htaccess file we find a custom header which appears to control access to something.
29:39 - Using GitHub Desktop to better view commits and file differences.
35:21 - Accidentally stumbling upon the dev subdomain!
39:11 - Finding the admin panel and trying more LFI.
40:44 - Trying and failing to get a shell using PHP filters!
1:02:23 - Looking at the upload functionality again, seeing if we can include uploaded files.
1:15:13 - Realizing we can upload PHP's phar files, but getting distracted by deserialization.
1:25:28 - Chat to the rescue. Me learning that apparently .phar files will be executed as PHP code.
1:29:07 - Using msfvenom to create a reverse PHP shell payload and getting a reverse shell on the box.
1:33:00 - Finding an interesting Python script.
1:34:05 - After going down a binary analysis rabbit hole, we realize we could just hijack the PYTHONPATH env variable.
1:36:53 - Creating a fake requests.py file to spawn a shell as the developer user, getting user.txt.
1:38:38 - Our user can use sudo to run easy_install as root without a password, an easy privesc!
1:40:12 - Outro

Twitter: https://twitter.com/0xTib3rius
Twitch: https://www.twitch.tv/0xTib3rius/
Courses: https://courses.tib3rius.com
Udemy: https://www.udemy.com/user/tib3rius/
Discord: https://discord.com/invite/4qrvKMh