So, as per usual, let’s kick it off with an nmap scan:
We notice that two ports are open; 22-ssh, and 80-http. Web sites are always fun in CTFs and leave lots of different places to stuff clues and challenges, so let’s check out the site first, and run Dirbuster on it at the same time to see if it has any hidden directories.
Two important directories that are needed for us. /panel, and /uploads. Panel brings us to this page:
Which WILL NOT take a standard .php file (my poor reverse shell). And we can assume once we get past this roadblock, that the shell we will be executing is going to be located in the /uploads directory.
So I have a simple little minimalist reverse shell I like to use for php (nothing fancy, I should probably upgrade). I just need to run this command:
And switch it over to a php5 extension instead of php. This is called a “file name bypass” and hoodwinks the file name validation the upload functionality has in place. You can read further up on this here, but essentially, this is a type of blacklisting bypass. We found out that a php file is blacklisted from being uploaded, but to bypass this, we just have to try an unpopular php extension such as: php3, phpt, php5, php6, etc.
And wouldn’t ya know, it works! Let’s go verify that our reverse shell is now inside of the uploads directory.
Before clicking on it, make sure to get a netcat listener running.
You might have to do some things to stabilize this shell. As I said, it is extremely minimalist. Now we just need to search for a file with SUID permissions, and find the one that sticks out. We can do this by running the following command:
One major one that sticks out that I’ve used before can be seen here:
Python is great if you have access to it. Check out GTFO Bins for some more information. Keep in mind that this is SUID related, and we already have access to python.
That means we just need to run the second command there.
And boom, you’re root.