# Fluxcapacitor

## Fluxcapacitor - 10.10.10.69

### Target Enumeration:

OS: Linux

IP: 10.10.10.69

User: b8b6d46c893d0cd00c0f0380036117bc

Root: bdc89b40eda244649072189a8438b30e

### Ports / Services / Software Versions Running

80/tcp open  http SuperWAF

### Vulnerability Exploited:

WAF Bypass on vulnerable parameter to gain code execution

### Privilege Escalation:

User can run commands encoded in base64 via the /home/themiddle/.monit

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/acD286i_Q_LJbNIwnF3C1VQwz8uwvUM8XoqHpIM1cdxCJzPT34rjOykmE4c7nQIUhx4pyKLatSL__v1Nlnr_nTuSXbTIONGwPe6ZQcIhhzIJa7QutAY3bBydq3WakTA13eiVuJ6J" alt=""></div>

Software Enumeration:

<div align="left"><img src="https://lh3.googleusercontent.com/ICcu8SAA9kFZE1G_gqy3qfaQL6btqv_A-8a-wamHQXX-yHzXNVRag8RQlciSLcpKYm5BrPhTvB4eicWhyLlvcCgN70HFtP-3nvg6q_T3cckzLYumM-7Y4b76br11lXFowdffCkWg" alt=""></div>

Burp Request & Response:

![](https://lh3.googleusercontent.com/adgXOqu9VBN9elWNWfwihXDrB9ZviBwrNjoy5Mu8axIg6SVFMSw1GslGHFyQ9B2LT7kJeSdjnjU9anpk2YYjvHPCVQ_WGs3k04vSuDJnf_9caaLNyuUjHL0XXdbLFPA3LH6z7ed8)

Gives a clue as follows:

Fuzz the application for a parameter to identify the next stage of the exploit.

<div align="left"><img src="https://lh3.googleusercontent.com/KZmWP-Y9qY7H36Y3lhOhQvMmlUV3ddPP80rknooYi_ojd56TVolojzWTvJFLp1lW0FgfDnpj930yCsoZV-JNWws-vIEvRvVooK5HNeyivL-pJbBGEsyumMbz9CghQNcYfGOkuUPr" alt=""></div>

After a while you will find:

<div align="left"><img src="https://lh4.googleusercontent.com/tNh_bjwxFKTv8ajvjPeCHRKF8qRJ_zPzQV5FRcKeyOMuMKC2e208jZf_i8SYTYWfcYxrytMhY14ZB5GRocl17vfgPoQPVx7mFisZhlNpl0ZGuZ6yq1PxSyOgMSncPwQRgUVn2wM0" alt=""></div>

Send that request to the repeater to explore further

![](https://lh3.googleusercontent.com/A21dwtWwP6g4Cig_751xps-VyUa4m7DqTyVBH5HadnyKZAtwnf5pAN5dhSwQkruIPFjAkpzMrh2SXCK9PNIh8kAKxgMmTzPJk0WWFiKfFL4OBH8KMyt6hCHiMZUIWKtTd0uouA8G)

We now have command execution:

The WAF is pretty tight on what we can do so ensure you use typical evasion techniques to read files etc.

![](https://lh6.googleusercontent.com/Tx-RaQBuXAC-heFb7G4mP1r0E-4GYt5s6jVCIUR24QvtuGSv1Fq7yPhJyn6Gk68CR7AVCLiBYN3z-NpziZ_-DEkF77m1pu12M6wyFzf0a1Rg4sgWnLuj-WymlxfX2ym792A1JcAw)

/etc/passwd

<div align="left"><img src="https://lh4.googleusercontent.com/DOnmPTpIM84PAQepmk1mFSjW_ev1a_Ubm7RejwfKRn-GFxH6CQA_TamfHSTxvZfS9VjljWvj-IGfP8X7fBWkBiQxJf7TxDtFwcLw4YDnqZtcCkqNlnDJrvkF8W2H0pXTr0x7Zblb" alt=""></div>

Converting our IP address to decimal allows us to request files from our server.

<div align="left"><img src="https://lh3.googleusercontent.com/BaCRLgWBg16xWIf0jzkfyDtAb9tOR-J2rRC4b-QAvQoprin7VBr0OMcPlqYvZyoCNxkc71ny4SOjj411iD3tVMc3aoa536HQhYF_7AESblBCYhwD7eJwXP95AsyZc6pRSjHPF-4_" alt=""></div>

At the moment we are restricted to the user nobody so list the whole contents of the drive for easy viewing offline

![](https://lh5.googleusercontent.com/_CdxbpmVsuTYJfa4R1ldXlG-UyZtfcIjJrSYuEX5w-O6CEESckgVIsLeovGvPyzAbjN6E_Esd-RZAHlCTUf55J1LFhriPLGikR6YyhsmIHI8bDPoxiAeg8lqGyQhOWSahLxgWzKS)

Using curl we find that as the user nobody we can execute the following command

![](https://lh4.googleusercontent.com/7g1Jc0x6PNq4Wjgbko9OaEsKOQtRPIaDXDTWX3qYAFa_HQU-2QDvvMiPerrrt9Gfi3ur75MT4Ugddvj8QSGsRXmkUe5WkB8QAU8gqEa3MMmw6JML4-ics7j9vXCU1PmIdGsexpC1)

Open the command in burp and encode the command cat /root/root.txt in base64 and send through the repeater to get the root flag.

<div align="left"><img src="https://lh5.googleusercontent.com/WhxetOkmESg75khtbaA_6uML74n6EQY0DbxRjECVVh5oX-sFJDtsk8MRtnx1mFTEmE_zxZBejDPShAFmGukn7NK2yyPcbb3bqinUndSDyTQsOWdmoWc49qqHv40sryS3mH6XN3ol" alt=""></div>

Send the request:

![](https://lh5.googleusercontent.com/tTi9U2nbilSrld_rlezGTW7cJsOuZqlqJYWWvP5ZjrYAKnxmX1O8RCiRbL2C9ewoemOuDRgZ_lBmzoq51XS8OQXxy1-aPRVEk2ChPCqtrqxbZTCxMQc3IOW7hZgKgDznIk9ALm9H)

Now to get a shell on the system encode the following payload:

<div align="left"><img src="https://lh6.googleusercontent.com/XqWWyMnjcDMyiPOJH9dsMIQ3RUa0A8CUIYI8oxG0uQIM__iqhCudYwMfPhuQWlS1hIsP8eFiM0wZ7qydzWtw4UJhVykwee9b-EDmPfc12MwHlJvZ6MplDWNwMIvVazvtPf5ebQ3G" alt=""></div>

Send through the repeater with port 443 listening

<div align="left"><img src="https://lh4.googleusercontent.com/oM5RMt011TrYeK75pgVGbLimyKkemwf-7Zhw9viKcI-3buCxs7v4M5Yi-3TEJOig8mdPtjTxaXmSGySmrgvUqxzOT2ZN_GGJvsobaqU7VwB8Ejb2Z880-Ks_vrPVyvGNB5mXf_2O" alt=""></div>

You will have a root shell

<div align="left"><img src="https://lh3.googleusercontent.com/8WKnx_nrOVC91GqG_OZiUtNLkuMky5c2nYdDf1DTbJ-2BlWdQyJVXAanQM5iO_ENnMNvpuCjAHznhQTaN7VGl_Sg-CQcoFEOU5yPi0wXiuRXoUvUAYRiGsZF7RGfD-mt0EnF6M-P" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/fluxcapacitor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.