<aside> 💡 Turn on dark 🌒 mode with cmd/ctrl + shift + L

</aside>

Oopise

10.129.95.191

Questions

What is the path to the directory on the webserver that returns a login page?: -> /cdn-cgi/login

What can be modified in Firefox to get access to the upload page?: -> cookie

What is the access ID of the admin user?: -> 34322

On uploading a file, what directory does that file appear in on the server?: -> /uploads

What is the file that contains the password that is shared with the robert user?: -> db.php

What executible is run with the option \"-group bugtracker\" to identify all files owned by the bugtracker group?: -> find

Regardless of which user starts running the bugtracker executable, what's user privileges will use to run?: -> root

What SUID stands for?: -> Set owner User ID

What is the name of the executable being called in an insecure manner?: -> cat

Submit user flag: -> f2c74ee8db7983851ab2a96a44eb7981

Recon

看起來是很典型的 web server

nmap -sV -sC 10.129.82.228
Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-03-11 12:56 CST
Nmap scan report for 10.129.82.228
Host is up (0.31s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)
|   256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)
|_  256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Welcome
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds

用 Wappalyzer 看到的資訊跟 nmap 差不多,丟個 CVE 就中的機會可能不大,除非運氣很好,因此還是先乖乖手動檢查好了

Untitled

這個 email 資訊很有價值,因為這讓我們確定有個叫 admin 的帳號

admin@megacorp.com

[email protected]

Untitled

檢查一下 js file,都是 404 not found,不過可看出一些路徑當作新的線索

<http://10.129.82.228/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js>

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.129.82.228 Port 80</address>
</body></html>

<http://10.129.82.228/cdn-cgi/login/script.js>
#404