# Fluxcapacitor

## Fluxcapacitor - 10.10.10.69

### Target Enumeration:

OS: Linux

IP: 10.10.10.69

User: b8b6d46c893d0cd00c0f0380036117bc

Root: bdc89b40eda244649072189a8438b30e

### Ports / Services / Software Versions Running

80/tcp open  http SuperWAF

### Vulnerability Exploited:

WAF Bypass on vulnerable parameter to gain code execution

### Privilege Escalation:

User can run commands encoded in base64 via the /home/themiddle/.monit

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/acD286i_Q_LJbNIwnF3C1VQwz8uwvUM8XoqHpIM1cdxCJzPT34rjOykmE4c7nQIUhx4pyKLatSL__v1Nlnr_nTuSXbTIONGwPe6ZQcIhhzIJa7QutAY3bBydq3WakTA13eiVuJ6J" alt=""></div>

Software Enumeration:

<div align="left"><img src="https://lh3.googleusercontent.com/ICcu8SAA9kFZE1G_gqy3qfaQL6btqv_A-8a-wamHQXX-yHzXNVRag8RQlciSLcpKYm5BrPhTvB4eicWhyLlvcCgN70HFtP-3nvg6q_T3cckzLYumM-7Y4b76br11lXFowdffCkWg" alt=""></div>

Burp Request & Response:

![](https://lh3.googleusercontent.com/adgXOqu9VBN9elWNWfwihXDrB9ZviBwrNjoy5Mu8axIg6SVFMSw1GslGHFyQ9B2LT7kJeSdjnjU9anpk2YYjvHPCVQ_WGs3k04vSuDJnf_9caaLNyuUjHL0XXdbLFPA3LH6z7ed8)

Gives a clue as follows:

Fuzz the application for a parameter to identify the next stage of the exploit.

<div align="left"><img src="https://lh3.googleusercontent.com/KZmWP-Y9qY7H36Y3lhOhQvMmlUV3ddPP80rknooYi_ojd56TVolojzWTvJFLp1lW0FgfDnpj930yCsoZV-JNWws-vIEvRvVooK5HNeyivL-pJbBGEsyumMbz9CghQNcYfGOkuUPr" alt=""></div>

After a while you will find:

<div align="left"><img src="https://lh4.googleusercontent.com/tNh_bjwxFKTv8ajvjPeCHRKF8qRJ_zPzQV5FRcKeyOMuMKC2e208jZf_i8SYTYWfcYxrytMhY14ZB5GRocl17vfgPoQPVx7mFisZhlNpl0ZGuZ6yq1PxSyOgMSncPwQRgUVn2wM0" alt=""></div>

Send that request to the repeater to explore further

![](https://lh3.googleusercontent.com/A21dwtWwP6g4Cig_751xps-VyUa4m7DqTyVBH5HadnyKZAtwnf5pAN5dhSwQkruIPFjAkpzMrh2SXCK9PNIh8kAKxgMmTzPJk0WWFiKfFL4OBH8KMyt6hCHiMZUIWKtTd0uouA8G)

We now have command execution:

The WAF is pretty tight on what we can do so ensure you use typical evasion techniques to read files etc.

![](https://lh6.googleusercontent.com/Tx-RaQBuXAC-heFb7G4mP1r0E-4GYt5s6jVCIUR24QvtuGSv1Fq7yPhJyn6Gk68CR7AVCLiBYN3z-NpziZ_-DEkF77m1pu12M6wyFzf0a1Rg4sgWnLuj-WymlxfX2ym792A1JcAw)

/etc/passwd

<div align="left"><img src="https://lh4.googleusercontent.com/DOnmPTpIM84PAQepmk1mFSjW_ev1a_Ubm7RejwfKRn-GFxH6CQA_TamfHSTxvZfS9VjljWvj-IGfP8X7fBWkBiQxJf7TxDtFwcLw4YDnqZtcCkqNlnDJrvkF8W2H0pXTr0x7Zblb" alt=""></div>

Converting our IP address to decimal allows us to request files from our server.

<div align="left"><img src="https://lh3.googleusercontent.com/BaCRLgWBg16xWIf0jzkfyDtAb9tOR-J2rRC4b-QAvQoprin7VBr0OMcPlqYvZyoCNxkc71ny4SOjj411iD3tVMc3aoa536HQhYF_7AESblBCYhwD7eJwXP95AsyZc6pRSjHPF-4_" alt=""></div>

At the moment we are restricted to the user nobody so list the whole contents of the drive for easy viewing offline

![](https://lh5.googleusercontent.com/_CdxbpmVsuTYJfa4R1ldXlG-UyZtfcIjJrSYuEX5w-O6CEESckgVIsLeovGvPyzAbjN6E_Esd-RZAHlCTUf55J1LFhriPLGikR6YyhsmIHI8bDPoxiAeg8lqGyQhOWSahLxgWzKS)

Using curl we find that as the user nobody we can execute the following command

![](https://lh4.googleusercontent.com/7g1Jc0x6PNq4Wjgbko9OaEsKOQtRPIaDXDTWX3qYAFa_HQU-2QDvvMiPerrrt9Gfi3ur75MT4Ugddvj8QSGsRXmkUe5WkB8QAU8gqEa3MMmw6JML4-ics7j9vXCU1PmIdGsexpC1)

Open the command in burp and encode the command cat /root/root.txt in base64 and send through the repeater to get the root flag.

<div align="left"><img src="https://lh5.googleusercontent.com/WhxetOkmESg75khtbaA_6uML74n6EQY0DbxRjECVVh5oX-sFJDtsk8MRtnx1mFTEmE_zxZBejDPShAFmGukn7NK2yyPcbb3bqinUndSDyTQsOWdmoWc49qqHv40sryS3mH6XN3ol" alt=""></div>

Send the request:

![](https://lh5.googleusercontent.com/tTi9U2nbilSrld_rlezGTW7cJsOuZqlqJYWWvP5ZjrYAKnxmX1O8RCiRbL2C9ewoemOuDRgZ_lBmzoq51XS8OQXxy1-aPRVEk2ChPCqtrqxbZTCxMQc3IOW7hZgKgDznIk9ALm9H)

Now to get a shell on the system encode the following payload:

<div align="left"><img src="https://lh6.googleusercontent.com/XqWWyMnjcDMyiPOJH9dsMIQ3RUa0A8CUIYI8oxG0uQIM__iqhCudYwMfPhuQWlS1hIsP8eFiM0wZ7qydzWtw4UJhVykwee9b-EDmPfc12MwHlJvZ6MplDWNwMIvVazvtPf5ebQ3G" alt=""></div>

Send through the repeater with port 443 listening

<div align="left"><img src="https://lh4.googleusercontent.com/oM5RMt011TrYeK75pgVGbLimyKkemwf-7Zhw9viKcI-3buCxs7v4M5Yi-3TEJOig8mdPtjTxaXmSGySmrgvUqxzOT2ZN_GGJvsobaqU7VwB8Ejb2Z880-Ks_vrPVyvGNB5mXf_2O" alt=""></div>

You will have a root shell

<div align="left"><img src="https://lh3.googleusercontent.com/8WKnx_nrOVC91GqG_OZiUtNLkuMky5c2nYdDf1DTbJ-2BlWdQyJVXAanQM5iO_ENnMNvpuCjAHznhQTaN7VGl_Sg-CQcoFEOU5yPi0wXiuRXoUvUAYRiGsZF7RGfD-mt0EnF6M-P" alt=""></div>