Pre-Foothold

All port

Description of image

Deep_Scan

Description of image

Tried to visit the page and didn’t get a response via browser. So I curled the page and included the header and found a host name.

Description of image

Edited my /etc/hosts file and got the proper redirect!

Description of image

I use wappalyzer to get some info on the technologies involved with this web page

Description of image

There is a registration page and after inputing a username and a password I have access to a dashboard.

Description of image

An online image shrinker, well I’ve attacked things like this before. What I am going to do is craft a php shell and save it in a file. I need to determine what the parameters of the upload functionality are like what files are accepted etc.

I upload an arbitrary image just to see the response. Initially I tried just a text file that had the extension .png but it failed. When I try the image file I see this response.

Description of image

That means I am getting a unique URL which in turn means I can possibly call on that URL to get the server to do things it shouldn’t be doing. Now based on the previous issue with the .png file I turn to exiftool to look at the metadata of both the image and the file I am trying to pass and realize there are (obviously) differences there. The next step is to catch the post request before it gets to the server, modify the data so the server accepts it, then allow it to pass through and hopefully get a url to call a shell from.

Description of image

I capture the request then send it to the repeater so I can modify things as I go.

Modified image data (Shell) using hex editor and tried upload again

Description of image

Modifying the exif data seems to have worked :)

Description of image

I set up a listener, go to the dashboard and click the link and…

Description of image

Nothing…

So I admittedly jumped the gun here without fully enumerating. Some times I take the idea of the box being labeled easy to seriously and think the path to exploit must be relatively simple.

I run a gobuster scan to look for other directories and get nothing with the first few wordlists. I then decide to scan for files and I find something interesting!

Description of image

Oooo there’s a git directory! I do some poking around and find out about a tool caleld git-dumper, so I run pip install git-dumper according to the git repo’s installation directions and then run the tool to dump this directory out.

Description of image

Ok nice! Let’s jump into the directory to see what we can dig up.

Description of image

I check the login.php and find that the server is running sqlite. What sticks out to me is the file called “magick”

Description of image

Description of image

Description of image

Description of image

Description of image

Description of image