TryHackMe — Advent of Cyber 2 — Day 2

Hello all,

With the notes and intro for day 2, it looks like we are dealing with file uploads, directory traversal and RCE. Let’s get into it and see if we are correct.

We are greeted with a page that tells you to use the code on the Room’s page as a GET parameter. Once we get to the new page, we have this upload section.

It seems like it will only take pictures. Going to test anyway with a few file types. But it is what it seems, only my .jpg and .png are showing up in the file browser.

Why re-write the wheel on something like this? Let’s use the already built out php reverse shell from Pentestmonkey — https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

All we need to change the IP and Port to the one on our Tunnel interface and whatever port we want to listen on.

Going to try and add another extension to my php reverse shell (.jpg) and see what happens. Sidenote: remember when working in a shared folder with Kali/Windows, Windows will quarantine your ‘malicious’ files….

Alrighty, we were able to upload the php-reverse-shell.jpg.php

Now to find where this gets uploaded.

First times the charm. /uploads/. So let’s get our Netcat listener up and running.

And now navigate to the webpage, and we are in.

Now since we aren’t trying to escalate priveleges or go too far on this machine, Let’s just navigate to the ‘/var/www/flag.txt’ file where it tells us on the room page. Once again, I’ll leave that last part to you. Best of luck

Until next time,

-3lduderino