Hack The Box - Broscience [Medium]

Short Overview

The video consist of my process of enumeration and overall hacking the machine, please use this as a walkthrough.

This box consist of several vulnerabilities:

  • Local File Inclusion/Path traversal - The query string path= in the img.php file is vulnerable to that, with that we can download the site map that I’ve discovered using Burp
  • Deserialization / PHP Object Injection - I saw that in the utils.php file, and I’ve prepared a payload for the AvatarInterface since this is the class that is using magic methods, and it has the file_get_contents function that we are going to use to pull the PHP reverse shell.
  • Linux Privilege Escalation - By pure luck, I noticed the renew_cert.sh in the /opt/ folder, and I immediately noted that this must be the vector that needs to be leveraged to gain privilege escalation. A much better way to figure out this can be the pspy tool, which could have shown me this command that is being run as root: timeout 10 /bin/bash -c /opt/renew_cert.sh /home/bill/Certs/broscience.crt and I did look up for some hints, thanks to gatogamer1155and his writeup for this machine.