Day 2 (Task 7) The Elf Strikes Back! – Advent of Cyber 2 TryHackMe

The goal of this challenge will be to gain access to an uploads page and then get a reverse shell.  A reverse shell is when you execute code on a target machine and it calls back to your attacker machine.  We are given an ID number of

ODIzODI5MTNiYmYw.  We will need to make a GET request to the website with our ID in order to access the login page.  Let’s visit the page to see what it looks like.

Looks like we can add the ?id= parameter to log in.

10.10.254.21/?id=ODIzODI5MTNiYmYw

That logs us in!

Wappalyzer is a browser add-on that will attempt to tell you what technologies exist behind the HTTP Server hosting the website.  Looking at Wappalyzer says we are running Apache 2.4.37 and PHP 7.2.24.

We can get some of this information from HTTP headers as well, assuming the website didn’t sanitize them within the web application’s code.

Right click on the web page and select Inspect Element (Q)

Click on the Network tab and then hit Reload.  If you click on the first GET request that has the File of /?id=ODIzODI5MTNiYmYw You can view the Server header and x-Powered-By head to gain valuable information about the target.

Now we know that we are using PHP we can grab some php code for a reverse shell at https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

For this reveres shell we just need to change the IP and Port numbers.  Paste this code into a file called pwning.php

nano pwning.php

Change the IP address to your tun0 address, or whatever your TryHackMe VPN address is, and change the port to 1337.  Any port will do, just be sure to use the same port in the netcat command below.

Save that file and then start a netcat listener.  Netcat can listen for incoming connections or create connections to other hosts.  In this case we will use it to listen for an incoming connection from our target.

nc -nlvp 1337

Now let’s click on the upload portion of the website, by clicking the Select button.

On the windows that pops up click on the button where it says All Supported Types. Looks like we can upload  jpeg, jpg, and png files.

We will need to rename our file to a supported type.  We can trick the application to accepting our file by naming it with first the accepted file extention and then adding the php extension.  This way it will still know to execute the php reverse shell.

cp pwning.php pwning.jpg.php

Now upload pwning.jpg.php.  You will need to select all files at the bottom right of the upload window.

When you visit http://10.10.175.169/uploads you can see that your shell has been uploaded.

Now we can open that file by visiting http://10.10.175.169/uploads/pwning.jpg.php and get a call back on our Netcat listener.

We don’t get a total interactive shell, but it will work.  We just need to grab the flag.

cat /var/www/flag.txt