As always I have to deploy the machine and wait a little bit for the machine to come up. While this is happening I am creating my folder structure for the room and this write up of the room.
Once the machine is up and you have the IP address I want to visit the site. This time there was nothing that will help with this room. So, the next step I am going to do is to run nmap on the server and see what ports are available. I like to use the flags to output all formats, scan for versions of software and look for default scripts.
nmap -sC -sV -oA server 10.10.168.150 Your IP address will be different when you work on this room so be aware of that.
This was the output of the scan on the server. I can answer the questions from the room with this output. They will ask what version of the software is being used and what service is running on specific ports.
The next section wants me to run Gobuster against it to see if there are any folders or files that can be used. With gobuster I like to pipe the output to
tee so that I had a record of what is found. The command that I will use here is
gobuster dir -u http://10.10.68.150 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,js,txt | tee directory.txt I like to use the x flag to search for different formats of files that maybe on the server.
After looking at the output I noticed that there is an uploads directory and a panel directory. I am going to assume uploads holds the contents of what we upload from the uploads directory. Now it's time to go to the panel page and see what we are greeted with.
It looks like a simple upload page. Now it's time to see what I can upload via this page. The first thing I try is the php reverse shell that I got from PenTestMonkey. Once I downloaded it I need to change two fields in it, the IP address and the port that it will use.
Once those two settings have been changed it is now time to try and upload my shell.php file.
I see that I can't upload a straight php file to the site. The next step that I am going to try and do is to use double extensions. What I mean by that is to make the file shell.php.jpg to see if that can bypass the filter.
I can evade the filter but when I went to the /uploads folder and clicked on the file the server tried to display the jpg and returned and error to me. I know that isn't going to work so I went to google and searched for another way to evade the filter and be able to execute the file. After a little looking I see that .phtml is an extension that can work. I will rename the file to shell.phtml and then upload it and that was successful.
Now I had to setup the netcat listener so that I can catch the reverse shell coming from the server. That is done with this command:
nc -lvnp 8888. Just make sure that the port in the command matches what you put into the script from above.
I now went to the uploads folder and saw that my file was there and then clicked on the file and took a look at my netcat terminal. I am greeted with a great sight, a shell.
Now the flag submission page is saying that there is a file called user.txt somewhere on the box. To find it I will use the find command to search the machine for that file.
find / -name user.txt 2>/dev/null I will use the 2>/dev/null to make all the errors disappear and I am displayed only files that I have access to.
Once the flag was submitted for the normal user now it's time to go and find the root user flag. The hint that I was given was that there is a SUID set and they do give you the command to run. As with all find commands that I run that aren't using the root user's permission I will add the
2>/dev/null to the end to only show files that I have access to.
After the search is completed I notice that the python program is able to execute as root. I then go to GTFO and search for a python script that will allow me to elevate to root on this machine. There is a script that can be run and after I run it I see that I am root with the
Once I got the command from GTFO I executed it to get root access. The first place I will look for a root.txt file is the root user's home folder and I was correct. So all I had to do was cat the file and I can complete the room.
As always comments and suggestions are always appreciated and can be emailed to me firstname.lastname@example.org. As always, have a great day and stay safe.