{"id":207,"date":"2025-07-02T18:48:00","date_gmt":"2025-07-02T18:48:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=207"},"modified":"2025-12-28T19:47:33","modified_gmt":"2025-12-28T19:47:33","slug":"updown-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=207","title":{"rendered":"UpDown- Hackthebox lab"},"content":{"rendered":"\n

This assessment was tough, the foothold was really demanding and helped me learn a lot. I started off with port scans using the tool Nmap for both TCP and UDP ports.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

The site on port 80 was a website created to determine if another website is up or not.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I an Nikto and Nuclei to look for any vulnerabilities but did not find anything interesting.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

Next I used Gobuster to fuzz the web directories Wfuzz to check for subdomains.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I added the discovered subdomain to my \/etc\/hosts file to access the page.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With the name resolution in pace on my local attack box. I was still unable to access the page.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

While fuzzing the \/dev directory I found earlier, I found a Git repository on the website.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Using a tool called git-dumper, I pulled down the files to my local attack box.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

While looking through the files, I found in the .htaccess file that a special header was required to access some of the resources.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I added the header in the web browser plugin \u201cModify Header Values\u201d and was able to access the dev subdomain.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

At this point, I wanted to upload a reverse shell but nothing was working as expected, under further investigation. This site had many php functions blocked. Also, in order to successfully upload a file, it needed to be zipped and have a file extensions such as png. I used the phar function to read the zip file and uploaded a php shell in a zip file named shell.jpg.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I was able to run the request above and get a reverse shell, I had to use some other writeups to get this working as it was a bit outside of my comfort zone.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

I upgraded the shell using \u201cpython3 -c \u2018import pty;pty.spawn(\u201c\/bin\/bash\u201d)’\u201d then found some scripts on the box. One of the scripts was an ELF binary that is used to execute other python scripts. I used this script to inject some code and got access to the developer account.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I then exfiltrated the ssh key for developer.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I used the key to access the box as the developer account over ssh.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I checked if the user had access to run sudo on anything with sudo -l. easy_install has instructions on gtfobins https:\/\/gtfobins.github.io\/<\/a> for privilege escalation. I used the commands below to get root.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This box took me a couple of days and taught me a lot. This shows the importance of hardening web servers and the persistence some attackers will use to get in. Thank you to https:\/\/medium.com\/@Poiint\/htb-updown-write-up-bf01d926ddc4<\/a> for the writeup and help getting through this lab.<\/p>\n","protected":false},"excerpt":{"rendered":"

This assessment was tough, the foothold was really demanding and helped me learn a lot. I started off with port scans using the tool Nmap for both TCP and UDP ports. The site on port 80 was a website created to determine if another website is up or not. I […]<\/p>\n","protected":false},"author":1,"featured_media":208,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=207"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/207\/revisions"}],"predecessor-version":[{"id":501,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/207\/revisions\/501"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/208"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}