We were asked for a subdomain and the email information is mafialive.thm. Let's add it to the hosts file and view mafialive.thm.
We find the first flag on the mafialive.thm page.
Look for a page under development?
At this stage, we can find the page we need to go to via robots.txt or gobuster.
Robots.txt
gobuster
test.php
There is a button
when we press the button:
This url hints the possibility of Local File Inclusion vulnerability. After trying to access sensitive files like /etc/passwd and access.log files by passing the value to view parameter, we could find that the php filter present restricts us from accessing those files. Actual contents of the file can be viewed by parsing the content into base64, as PHP has a inbuilt function to convert normal text to base64.
Checking the php file, we could find that the code is checking two conditions,
Condition 1
if(!containsStr($_GET['view'], '../..')
condition 1 restricts path traversal
Condition 2
if(!containsStr($_GET['view'],
'/var/www/html/development_testing'))
condition 2 states that anything we do is restricted to a single location.
/var/www/html/development_testing
We can bypass the path traversal protection by using “.././../” instead of “../../” to travel back directories. Reading the access.log file in /var/log/apache2/ shows that the User-Agent is being logged. So we can get an RCE using log poisoning attack.
Start the netcat listener on your local machine and wait for few minutes.
Now we are archangel
There seems to be a suid file in the /secret file ready for our use. We no longer need to search.
Let's send the backup file to ourselves with Wget and examine it.
Ghidra
The binary was executing commands to copy files from one directory to another, also the binary was running as root. This mean that if we can replace the system cp binary with our own, Then we can have root access.
Let’s create our own binary named cp and point the $PATH to our directory.
