Base

Personal Rating: Easy

Web Enumeration

There is a webserver on port 80 as an nmap scan shew. (sudo nmap <IP>)

After fuzzing, I found a swapfile and a login form. The swapfile contains the authentication PHP code, but I couldn't make much of it.

Decoding Swapfile to Auth Bypass

This command can remove the non-human readable parts of the file and beautify it:

strings swapfile | tac >> swp-beautified.txt

Since it was a swapfile and the non human readable part had to be removed, this is not correct code, but it's clear whats happening:

$_SESSION['user_id'] = 1;
if (strcmp($password, $_POST['password']) == 0) &&
if (strcmp($username, $_POST['username']) == 0)
{require('config.php');}
if (!empty($_POST['username']) && !empty($_POST['password']))
session_start();
else {print("<script>alert('Wrong Username or Password')</script>");}

strcmp is used to compare the input password to the required one.

strcmp will return NULL when you compare data of different types, like an array to a string. You can edit the web request to send username[]=test&password[]=authentication

This way, both return null and NULL == 0 will return TRUE

Shell Access and Pillaging

Logged in, I could upload a php reverse shell as the www-data user. The user "john" exists on the system. With the following command I could upgrade my shell to an interactive one:

python -c 'import pty; pty.spawn("/bin/bash")'

As the webuser I found a config file in the folder of the webserver that contained john's password. thisisagoodpassword I could have bruteforced that with hydra, but usually a bruteforce against ssh doesn't work.

GTFOBin Abuse

With sudo -l I found a GTFObin, which is /usr/bin/find. It can be exploited for command execution like this:

sudo /usr/bin/find . -exec /bin/bash \;

The old syntax has additional brackets in the command:

sudo /usr/bin/find . -exec /bin/bash {} \;

With that I could ssh to the box as root and grab the root flag.