This is Hopper. It’s Medium rated, I liked it (a lot), and I didn’t manage it all on my own. There are some important learnings here.
SSH and HTTP only.
Fuzzing reveals our first target: http://10.10.10.54/advanced-search/. The page says:
Welcome to the private search
Here you will be able to load any page you want. You won’t have to worry about revealing your IP anymore!
We have a search box, which submits GET requests to page.php using the path parameter. I try to include a remote PHP shell and while the server will request and load the file, it doesn’t execute/include it.
We can request localhost URLs, which suggests SSRF. I try various path traversals, but can’t get upstream of the webroot.
We have an LFI using the file parameter, e.g:
We have two users, edward and henry. We can use the LFI to get /var/log/wtmp and it appears henry has never logged in, so presumably we want edward.
I can’t read id_rsa, or even .bashrc or .profile for either of our users, so that’s not much good anyway. I run the seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt wordlist against the server but don’t find anything super useful.
This wordlist does not include /proc/net/tcp, which for seclists is only included in LFI-Jhaddix.txt. If we do include it, we get several entries:
We can decode these with this Perl script from here if we want:
And if we do then we get this:
So we can see there is an open port (2222) accessible via localhost and indeed our vector is SSRF via an internal webserver.
I also saw a python script on another writeup used to probe all ports rather than querying for /proc/net/tcp; that’s like this:
This script also finds the open port:
Next, we need to fuzz the port to see what we can find. Normally I use feroxbuster for this sort of thing but it doesn’t quite have the control needed, so it’s ffuf instead.
The /backup file was an SSH key (encrypted) for our user edward. We can break this with john in the usual way and log in. Once inside, there isn’t actually much to find - and that’s the second interesting part about this challenge: sometimes you have to go backwards to go forwards.
We have write access to /var/www/html and that means we can create a webshell and send ourselves a reverse shell:
So the last parts of this box are watch (GTFOBins) and ascii-xfr. ascii-xfr is used to:
upload/download files using the ASCII protocol
I make a copy of /etc/passwd and then overwrite the original, like so:
And that was that! I definitely had to get a couple of hints for this one. Out of interest, the internal webserver running on Port 2222 was run like so: