➜ ~

Playing Hacks and Stuffs!

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

Gonavision AfriHackBox

image

Hi, this is my first writeup for the AfriHackBox platform and i’ll be showing you how I solved the Gonavision lab

So first things first we need to get the list of open ports on the host and my preferred choice of doing that is rustscan & nmap (cause why not??) image image

- rustscan -a 10.0.1.5 -r 1-65535
- nmap -sCV -A 10.0.1.5 -p80

Going over to the web service running shows this image

Trying some sqli as the username/password doesn’t work so i moved on from messing with the login page

From this we can tell that this is an application created by Nikhil Bhalerao so the ideal thing is to probably search up “RedCock Farm” and see what comes up

But now, I didn’t solve it that way and i’ll show you how i did it

What I did next was to fuzz for files and specifically php because the application programming language is that 💀

Ok so we got various files

image image

The register.php looks interesting because if we can register a user then we can probably login and see other functions we can access

Another interesting thing to note is that, even though the other files return a status code of 302, which implies a redirect, their content length is absurdly large and we’ll get to that soon

So first thing i did was to try register image image

But after submitting the form i got this error, dang! image

This means we can’t register a user (it seems!)

What next?

Well time to check out why those files which were supposed to do a “redirect” happens to have a large content length

If we try access it you will notice that it immediately redirects to the /index.php

This is how i went about bypassing that

I captured the request with Burp Suite and then I intercepted the response to the request and modified the http status code to 200

This is the equivalent in python image

import requests

url = "http://10.0.1.5/"
res = requests.get(url + "store.php", allow_redirects=False)

print(res.text)

If we save the html response and view in our browser we’d see this image

But why does this work exactly?

This is a class of web vulnereability called Execute After Redirect

From this I was able to get other php files hosted on the server (by viewing the page source of the store.php html content) image

After looking through them I got something juicy which is product.php

I accessed it using the burp method as that reserves images/css making it look much better image image

We have the ability to upload a photo (screams.. file upload bypass)

The first thing which came to mind was to upload a php file (obviously)

But on intercepting the upload request i got this image

Notice how it’s actually uploading to the wrong file? index.php rather than product.php

I sent that request to Repeater and here’s the response image

Doesn’t seem to error? I then searched for the file i uploaded in the response and boom i saw this image

Looks like it uploaded to: assets/img/productimages/a.php

Accessing it showed this, so we have gotten RCE on the host… image

Nice lab pwned!

The flag location is at: /etc/passwd

Thanks for reading!