22/tcp open ssh
80/tcp open http
8888/tcp filtered sun-answerbook
LFI to read nobody users ssh key
Root capabilities on /usr/bin/tac to read the root flag.
Looking at the webapp its a list reader/writer
Capturing the requests in burp allows dir listing for the root folder, you cant read files outside of this dir.
There is a file read so check the sourcecode
Start reading the sourcecode of the webapp
Can read and write to files
List all the files and copy output to a text file for review
Reviewing the code made lfi a little harder than normal
Eventually we found a payload that worked.
Now considering the ports we had open we would probably need to find some ssh keys of some sort.
Searching around we found a key for the user nobody.
The file is all messed up so copy to a text file and remove all instances of \n and replace with a new line:
And also delete all instances of \ through the file
Once Cleaned you will have the following file:
Chmod 600 the file and login as the user nobody to get the user.txt flag.
After enumerating the system it appears we are in a restricted docker container so try and use the previous key to login to the actual host with ssh
Another restricted shell, using the following command we can see a few things we can use
Rnano may allow us to create files
Bypass by issuing “bash --noprofile”
We have none of the correct paths with noprofile so execute the following
For privesc you need to understand capabilities
Run the following command to find all capabilities
getcap -r / > capabilities.txt
Then read the file
Tac will allow us to get the root flag
You can also read the root’s ssh key
Reverse the ssh key with sed
The key will not allow you to login to the root account so for now we will try and crack the root account with unshadow shadow password > keys
There is not much point as the following is set in sshd_config