BossPlayersCTF
Port 80 shows the following page.
Viewing the source code of this page reveals text at the end.
We can take this string and run it through base64. We need to perform this three times to reveal a plain text string.
Browsing to workingprogress.php:
Looking at the comment regarding ping we can take a guess for command injection on the current page. Appending ?cmd=(command) generates results.
To create a reverse shell run the following command in a terminal:
Then take the base64 output and run it as a command in the web browser.
This will create a reverse shell connection on our netcat
listener.
I then transferred linpeas
over from my attacking machine. Shortly after running linpeas finds that the binary ‘find’ has the SUID bit set.
Checking this against GTFOBins shows we can use this to gain a root shell.
Run the following command to spawn a root shell: