Pythonic01
  • whoami
  • Try Hack Me
    • Billing (THM)
    • Rabbit Store (THM)
    • You Got Mail (THM)
    • Decryptify (THM)
    • Smol (THM)
    • Light
    • Silver Platte (THM)
    • The Sticker Shop(THM)
    • SeeTwo (THM)
    • Whiterose (THM)
    • Mountaineer (THM)
    • The London Bridge (THM)
    • BreakMe (THM)
    • BackTrack (THM)
    • Cheese CTF (THM)
    • Service (THM)
    • LookUp (THM)
  • CVEs
    • CVE-2024-27198
  • HACK THE BOX
    • Cap (HTB)
    • EvilCPUs (HTB)
    • Instant (HTB)
    • Chemistry (HTB)
    • Cicada (HTB)
Powered by GitBook
On this page
  • Enum
  • Access as comte.
  • Access As Root
  • just read the root.txt.
  • But where is the fun.
  1. Try Hack Me

Cheese CTF (THM)

Inspired by the great cheese talk of THM!

PreviousBackTrack (THM)NextService (THM)

Last updated 5 months ago

Enum

So to kick things off we start with Rust Scan which give us insain results.

As you can see there are a lot of open ports so as always i start with http or port 80.

We have few intrestring pages let's see the users.htm page.

Nothing appear to be here let's see the login form.

I decide to user SQLMAP the goat of sql injection.

Intresting let's see what is there.

And Indded the target is vuln of LFI (local file inclusion). So let's try to access some important file maybe ssh key or something.

As you can see in the li tag there is a href which refers to php filter. If we are able to execute such thing on the web we can get RCE on the target machie.

And indded we can. Let's find a way to execute php code in here.

We can us this tool.

Which help us or generate a chain of Filters to get RCE on the system.

And by doing so we have access as www-data.

Access as comte.

As for this user it actully super easy we can see that in the .ssh of the comte user we have the file authorized_keys and we can write into it so we just need to generate ssh key in our own machine and paste the public key in the authorized key as easy as that.

Access As Root

just read the root.txt.

So since we have sudo for these.

we can start the exploit timer but it first it was giving me error.

So i just added a timer and it works.

And after that we start the service and we will see a xxd binary with suid has spawn in /opt.

xxd is a hexdumb tool or Reverse as they said.

As of the exploti we can basiclly read and write anything since it has suid and the creater is the root user.

We can do like this and we are done.

But where is the fun.

So as for the second way we want to access as root from ssh. We have alread ssh key inside .ssh of the comte user we just need to move that into the .ssh/authorized_keys of the root to get access as root.

Using this command we are able to move our public key inside .ssh of the root.

And now let's SSH.

Appear to be a normal admin panel but take a look on the url .

😄
LogoGitHub - synacktiv/php_filter_chain_generatorGitHub