Back again with the first OSCP look alike box writeup of this year . This box requires a little bit of attention to detail and out of the box thinking not to mention once you figure it out, you would be surprised to see how easy it was ! Let’s get started with this :-
Link to the machine :- https://www.vulnhub.com/entry/double-1,632/
Full nmap port scan:-
Nmap identified some interesting ports open. As usual , we try to go for the web server. We are welcomed with this:-
Although the name sounds custom(i.e. in house application), I tried to search any exploits available in that name just to cover all bases. As expected the software doesn’t exist, which means we will have to explore it ourselves.
Let’s take a look at port 8080 meanwhile:-
Tried some default creds , did not work , left it and proceeded to the custom software found earlier.
There were two links in the page i.e. production and test. Test redirected me to the port 8080 server. Production redirected me to this page:-
At this point , I tried putting a proper os command (id) and a random code (1234) just to see where it takes me. It redirected me here:-
At this point, the avaerage ctfer can figure out what might be the next path. Yes! its the out parameter. I tried a basic lfi payload with the parameter and it worked!
Here I tried a lot of things based on the information. Since ssh and smtp was open, I tried to read the log files to perform log poisoning but could not read the files. I tried reading the ssh id_rsa files of the users (ppp and fox) but could not . It looked like a rabbit hole to me and for a moment I was beaten.
Then another thought stuck me: I can read source codes by using a base64 filter. Since I was not getting any ideas , I decided to read the php source code of sendcommand.php (the page which renders the output if the inputs of production):-
Decoding the base64 output:-
From the above code, I could understand that the cmd input taken by production was actually passed through php instead of directly rendered by html!
Proof that I got RCE :-
As you can see I got the result of id. Time to get a shell :-
Reverse shell connection and output of id and whoami:-
Now onto root, I checked the suid binaries available:-
The nice binary has a known privesc technique(check gtfobins) . Exploited it and got a root:-
That’s all for now. Hope you guys liked it. Have a nice day!