80/tcp open http SuperWAF
WAF Bypass on vulnerable parameter to gain code execution
User can run commands encoded in base64 via the /home/themiddle/.monit
Burp Request & Response:
Gives a clue as follows:
Fuzz the application for a parameter to identify the next stage of the exploit.
After a while you will find:
Send that request to the repeater to explore further
We now have command execution:
The WAF is pretty tight on what we can do so ensure you use typical evasion techniques to read files etc.
Converting our IP address to decimal allows us to request files from our server.
At the moment we are restricted to the user nobody so list the whole contents of the drive for easy viewing offline
Using curl we find that as the user nobody we can execute the following command
Open the command in burp and encode the command cat /root/root.txt in base64 and send through the repeater to get the root flag.
Send the request:
Now to get a shell on the system encode the following payload:
Send through the repeater with port 443 listening
You will have a root shell