..
Hack The Box - Broscience [Medium]
Short Overview
The video consist of my process of enumeration and overall hacking the machine, please use this as a walkthrough.
This box consist of several vulnerabilities:
- Local File Inclusion/Path traversal - The query string
path=in theimg.phpfile is vulnerable to that, with that we can download the site map that I’ve discovered using Burp - Deserialization / PHP Object Injection - I saw that in the
utils.phpfile, and I’ve prepared a payload for theAvatarInterfacesince this is the class that is using magic methods, and it has thefile_get_contentsfunction that we are going to use to pull the PHP reverse shell. - Linux Privilege Escalation - By pure luck, I noticed the
renew_cert.shin the/opt/folder, and I immediately noted that this must be the vector that needs to be leveraged to gain privilege escalation. A much better way to figure out this can be the pspy tool, which could have shown me this command that is being run as root:timeout 10 /bin/bash -c /opt/renew_cert.sh /home/bill/Certs/broscience.crtand I did look up for some hints, thanks to gatogamer1155and his writeup for this machine.