Post

HTB Linux Medium: Zipping

Zipping is a Medium rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Medium: Zipping

Nmap

Pasted image 20240714205321.png

Initial Foothold

Enumerate HTTP (Port 80)

Using Dirsearch to reveal subdirectories and files reveals the upload.php page. Pasted image 20240714205312.png

On the upload page we can upload ZIP files. Pasted image 20240714205305.png

Bypassing the upload filter can be done using symlinks, generate the following ZIP file. Pasted image 20240714205256.png

Next up we can upload the zip file and visit the document.pdf file. Once there we can go to our network tab and the response should be a base64 encoded string that we can decode. Pasted image 20240714205252.png

Whilst enumerating files we find a grep_match vulnerability in cart.php which can be exploited in the following way. Pasted image 20240714205248.png

Priv Esc

Running sudo -l results in the following output. Pasted image 20240714205241.png

Running the strings command against the file reveals a hardcoded password: St0ckM4nager. Pasted image 20240714205231.png

Using strace we find that the program calls for a non existent libcounter.so file located in /home/rektsu/.config/. We can abuse this by creating a reverse shell payload with this filename inside of the .config directory. Pasted image 20240714205224.png

Next, we use gcc to create the .so file. Pasted image 20240714205218.png

Now when we run the program and enter the password we should get a shell. Pasted image 20240714205213.png

You should now catch a root shell. Pasted image 20240714205207.png

User.txt

Pasted image 20240714205152.png

Root.txt

Pasted image 20240714205148.png

PWNED!!!

Pasted image 20240714205143.png

CTF, HTB
Linux Medium
This post is licensed under CC BY 4.0 by the author.