UpDown write-up by evyatar9

Read my write-up for UpDown machine on:


User: Discovered virtual host dev.siteisup.htb and directory /dev/.git. Found that Special-Dev: only4dev HTTP header must be added to access dev.siteisup.htb. Uploaded .phar file, gained a reverse shell as www-data user. Found SUID for developer user that runs python2 script with input() function, used input() to execute python code and obtained the SSH private key of developer user.

Root: By running sudo -l found that usr/local/bin/easy_install can be run as root and if the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. Using that, a shell as root was obtained.

1 Like