![]() The same search for PHP files discovers only config.php and upload.php that we already know. If we upload a DOCX file, we get a link to download the PDF version. This page calls as well convert.php but contains some more comments: In the source code, a comment leaks what seems to be the old versions of the upload page. The Generate pdf button calls convert.php. The main feature though is the upload of patents in DOCX format that will be converted to PDF at /upload.html: We can access /edit-profile.html to edit the admin profile but all links are dead. ![]() We should be able to send him a message but the link to /chat.html is broken: The user profile menu does not seem to work properly but we can access it at /profile.html. We get access to a patent management website and we are logged in as Ajeje Brazorf, an admin: a service running on port 8888 and it is not a website.OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux protocol 2.0) We unmount it to grab the root flag.Īn NMAP scan shows the following (partial) output: A partition is mounted on top of the /root folder. The binary is vulnerable to a Stack BOF, we exploit it to get a reverse shell as root. We reconstruct the source code from it and retrieve the binary. git folder of the lfmserver that runs on port 8888. The command leaks the root password and we grab the user flag. It is vulnerable to LFI and by injecting the access.log with PHP code we achieve RCE and get a reverse shell as We use pspy to see what command is triggered. The content of config.php leaks a hidden PHP file getPatent_alphav1.0.php that can be used to read the patent’s content. So we build a DOCX with a custom XML part and inject an XXE payload to exfiltrate files. We find a hidden release note that mentions that entity parsing is enabled in DOCX custom folders. The main feature is a file upload to convert DOCX to PDF. ![]() ![]() We have access to a website that manages patents. The users rated the difficulty 7.8/10 and gave an overall score of 4/5 to the box. It was released on January 18th, 2020 and was retired on May 16th, 2020. Patents is a Hard Linux box created by gbyolo. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |