Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Gigachad Walkthrough

Happy Chinese New Year for all CTFers!


Machines can be download here.

Nmap scan ports.

图片.png


Login ftp as anonymous, get a file.

图片.png


Check file type, it's a zip. Unzip it, get a usrname "chad", and an png file.

图片.png


Check the image, a beautiful building.

图片.png


For now, let's check 80 port. If we directly scan, we'll get a lot code 301.

图片.png

 

Bypass code 301, and scan again.

图片.png


Check robots.txt, get another html.

图片.png


Check kingchad.html, get nothing.

Back to the png file. Use the image search engine online, get the building's name.

图片.png


Try use the building's name as keyword for password, after several try and fail, we login.

图片.png


Search SUID file, find an unusual one.

图片.png


Check it online, it's a CVE.

图片.png


Check the s-nail version, Good.

图片.png


We can download the POC online or from exploitdb offline.

图片.png


Directly run, it fails.

图片.png


Change the "base_dir" from "/var/tmp" to "/tmp", then it runs without error. But we still get no root shell.

图片.png


Then I make a copy of 47172.sh to exp.sh, change some var.

图片.png


Then run these two files at the same time.

./47172.sh & ./exp.sh


When finished, one of them will get root shell.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0