harder - THM

After an initial scan, three ports seem open. As we have nothing to try on these SSH ports, let's look at the web server.

Every request seems to be a 404, but look at the request: it issues a cookie for a specific domain. This probably means virtual hosting is in place, so add the domain to your /etc/hosts'list and browse to the page. Both a directory scan and the hint hidden behind the login form (super default credentials, you can do it without brute forcing it) suggest the presence of a git repository.

Download it using GitTools (the dumper) and analyze the commits. Analyzing previous files you can notice that hmac.php is in charge of showing you the 404 page. You can circumvent these checks: first, to overcome the fact that you don't know the value of n, you can submit an array to exploit PHP's type juggling. Knowing the value you set to the host parameter you can then compute the hash to pass the last check, this way obtaining a new virtual host and some credentials. To make it clear, you should submit a URL like: 

http://<virtualhost>/index.php?host=a_string_you_choose&n[]=1&h=the_hash_of_the_chosen_string

On the new host, log in with the given credentials. It seems another check is in place, this time blocking you because of your IP. Use the X-Forwarded-For header (add it to the request) to overcome the check and get a web shell.

Because of this IP situation, you cannot get a reverse shell straight as usual, enumerate a bit on the machine. Cronjobs is a good place to look at (/etc/periodic/15min, I will tell you this as it is a real pain to enumerate with this shell), there is a file containing ssh credentials, this way we can finally get a shell (a proper one) on the machine.

After the user flag, look around, this is not your usual box. You need to enumerate a bit more manually than usual, you can find a suid file. This runs a different bash script on the box that only accepts encrypted files and executes them. In order to exploit this we need to find the encryption key first, you can find it by looking for the name of the recipient in the file system.

The final steps are:

1. Import the gpg key (gpg --import <key path>)
2. Create a file containing the commands you want to run (like reading the root flag)
3. Encrypt the file with the key (gpg --recipient root@harder.local --encrypt <your file>)
4. Run the suid file and pass it the encrypted file
5. Enjoy your flags and Merry Hacking!