HackMyVm Gigachad Walkthrough

Happy Chinese New Year for all CTFers!


Machines can be download here.

Nmap scan ports.

图片.png


Login ftp as anonymous, get a file.

图片.png


Check file type, it's a zip. Unzip it, get a usrname "chad", and an png file.

图片.png


Check the image, a beautiful building.

图片.png


For now, let's check 80 port. If we directly scan, we'll get a lot code 301.

图片.png

 

Bypass code 301, and scan again.

图片.png


Check robots.txt, get another html.

图片.png


Check kingchad.html, get nothing.

Back to the png file. Use the image search engine online, get the building's name.

图片.png


Try use the building's name as keyword for password, after several try and fail, we login.

图片.png


Search SUID file, find an unusual one.

图片.png


Check it online, it's a CVE.

图片.png


Check the s-nail version, Good.

图片.png


We can download the POC online or from exploitdb offline.

图片.png


Directly run, it fails.

图片.png


Change the "base_dir" from "/var/tmp" to "/tmp", then it runs without error. But we still get no root shell.

图片.png


Then I make a copy of 47172.sh to exp.sh, change some var.

图片.png


Then run these two files at the same time.

./47172.sh & ./exp.sh


When finished, one of them will get root shell.

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

«    2022年5月    »
1
2345678
9101112131415
16171819202122
23242526272829
3031
网站分类
搜索
最新留言
文章归档
网站收藏
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2