Medium rated. This is SafeZone from THM. It was pretty enjoyable; here’s what happened.
SSH and HTTP only.
At index.php we have a login page but we have no credentials. There is a register.php where we can register an account which we can then use to login. Doing so gets us to dashboard.php which has a few links including detail.php which has a comment hidden in the page source:
try to use “page” as GET parameter
Trying this doesn’t work. We need to be a different user.
Doing some webserver enumeration turns up note.txt which is from admin (our user) saying that his password is in /home/files/pass.txt (I think, I didn’t make a note of it). We need to look harder for this; it’s in /~files/pass.txt. This file contains a hint that narrows down the password to one of a list of 100. Trying a few combinations on the login page quickly reveals which one is correct, although we can only do 3 before we get timed out for 60 seconds. Anyway it’s pretty straightforward.
Once we are logged in as admin we do have an LFI with the page parameter, and we can read /var/log/apache2/access.log with it so our foothold is via poisoning the log file. I use the classic PHP code in the User-Agent field of a Burp repeater request to get the command into the logfile and then use the PHP one-liner to get a shell.
By the way; we can register a user with the name admin and a different password, but the LFI still won’t work if you do that.
Anyway, we’re on the box.
We don’t need to be www-data for long; in /home/files we find this:
We also have another user (yash) but we can’t enter the home directory. Anyway, the file I’ve mentioned above contains a hash for the user files which John can deal with easily, and then we can SSH in as files.
files > yash
I run linpeas, because I always run linpeas. Not too much stands out, except:
I wonder what’s on Port 8000? We have an SSH connection. I’ll set up a port forward:
And visit localhost:9000 in my browser. There is an nginx 403 page, so I run a feroxbuster and a dirsearch (since it comes with a nice default wordlist):
We don’t really need login.html because login.js shows where we want to go - pentest.php. Here, we have a box where we can enter a ‘message’ for yash. I try a few things but all that seems to happen is the message gets echoed back, with some modifications. If we use bash, it gets dropped. Same for a few other things, like nc, semi-colons and so-on. Ping doesn’t seem to get dropped, but it won’t ping me. Hmmm. I try sleep 5 and it works; the response has a very definite delay. So we do have command execution - presumably as yash - but with some filter to defeat.
Remember I said I couldn’t cd to /home/yash? Let’s fix that:
chmod ugo+rwx /home/yash
This works. Since I’m already SSH’d in as files for my port forward, I can now write to the yash directory. This was in my original webshell:
And this was after:
I’ve got you now, yash. I can read the user flag, but more usefully I can create a shell script to send me a reverse shell, which I will then call from the web session:
I start a listener and call /home/yash/shellington.sh from the webpage:
We are yash.
yash > root
So what’s that bk.py? We can’t read it, but we can execute it and trying it out reveals it copies files for us. It asks for a password but either I got lucky and pass works, or much more likely it’s a red herring. Let’s see:
Right so it happily copies files as root, but make them readable. Goodo. I use this to make a copy of the root flag and read it, but that doesn’t get me a shell. There are probably a few ways to do this; I make a copy of /etc/passwd (you don’t need the script for that), then append a new user (root2:mrcake) to it, and then use the script to overwrite the real /etc/passwd with my version. Then I can su root2 and it’s game, set and match:
Little fist pump when this one was done. Thanks cyberbot.