netdiscover and nmap
Submit binary file
Inject XSS Payload in file
Getting session cookie
Login as admin
RCE in delete function and get reverse shell
the function delete take filename coded in b64.
If we add a command after file name and code all in base64, we can execute command
admin_login_logger has suid bit active.
Try with random input
Ok, if we give in input a long string we can see that we change output filename
With unique pattern we find that after 456 bytes we can replace filename.
But what’s about input? What input written on file?
We can not read file /var/log/proteus/log (where binary write originally), but we can try to download the binary and execute it locally, for reading what it wrote.
HEY this is our input !!
Adding arbitrary user with root uid on /etc/passwd file
Generate hash for passwd file with:
python -c ‘import crypt; print crypt.crypt(“knx”, “$6$saltsalt$”)’
Then write complete string in /etc/passwd calculating right length and offset
Finally the FLAG
- We can overwrite /etc/crontab and add reverse shell job every minute but this not works because crontab is strict and the binary add not printable chars at hte beninning of the strings
- We can try to write our public id_rsa in authorized_keys but its fails because the length of full path of authorized_keys overflow the maximum length that is managed by binary