Happy Chinese New Year for all CTFers!
Machines can be download here.
Nmap scan ports.
Login ftp as anonymous, get a file.
Check file type, it's a zip. Unzip it, get a usrname "chad", and an png file.
Check the image, a beautiful building.
For now, let's check 80 port. If we directly scan, we'll get a lot code 301.
Bypass code 301, and scan again.
Check robots.txt, get another html.
Check kingchad.html, get nothing.
Back to the png file. Use the image search engine online, get the building's name.
Try use the building's name as keyword for password, after several try and fail, we login.
Search SUID file, find an unusual one.
Check it online, it's a CVE.
Check the s-nail version, Good.
We can download the POC online or from exploitdb offline.
Directly run, it fails.
Change the "base_dir" from "/var/tmp" to "/tmp", then it runs without error. But we still get no root shell.
Then I make a copy of 47172.sh to exp.sh, change some var.
Then run these two files at the same time.
./47172.sh & ./exp.sh
When finished, one of them will get root shell.