Hacker of the Hill #1 (Easy Challenge)

Description

These challenges are boot2root rooms on TryHackMe. By completed them it was possible to obtain a private invitation for bug bounty programs on HackerOne. This write up is for the first challenge called “Easy Challenge”.

WriteUp

First of all a nmap scan will show us which services are running:

On the machine there are multiple web servers running on different ports:

The web service on port 8002, gives us the ability to inject PHP code:

This can be used to run a reverse shell. I have used the “php-reverse-shell” by Pentestmonkey. Paste it into the box and start a netcat listener with nc -lvnp 1234on your machine. After submitting you should get a shell on the box:

The “user” flag is located inside “/var/lib”. This can be submitted to HackerOne:

During enumeration you can spot a cronjob, which is run by the “root” user:

Luckily for us, we can manipulate the “backup.sh” file. I have added a line to send me the “root” flag to a netcat listener. You just have to start another netcat listener on port 1234. After a while you will get the flag:

Mitigation

We got the initial shell by exploiting the PHP learning playground. This playground should be restricted to certain PHP commands. Furthermore the privileges on the backup script should be set correctly.