Archangel
Writeup.
Get a shell
1. Find a different hostname
mafialive.thm
2. Find flag 1
Add the domain name to
/etc/hosts
as :10.10.224.98 mafialive.thm
3. Look for a page under development
test.php
4. Find flag 2
thm{explo1t1ng_lf1}
Looking at the url, it's known to us that we have to exploit LFI
I tried looking for
/etc/passwd
but seems like we can few files that are under current directory.If we use
php filter
and converttest.php
into base64 we can read it.
5. Get user shell & flag.
The hint said
poison!!.
apache log poison it is!!!! (google search)
Url poisioning
i used following curl command for the log poision
Log poison sucessfull !!
Reverse shell
I used pentest monkey's revshell
Start a python server in your local system & run the following command :
make sure you change ip & port
so i copied the .php file into machines using wget
& now when i visit
MACHINE_IP/revshell.php
i will get a reverse shell
Flag
Root the machine
1. Get user 2 flag
There's a cronjob running the file in
/opt
(found through Linpeas)we have full write access on it, so let's edit it & get a stable shell
I am going to add my public key into the authorized keys of archangel.
get archangel shell
And we got the shelll
----------stabalize shell
Start python server
Now ssh part.
2. Root flag
running the binary gives an error
taking note of the hint my guess is that the binary is using relative path so we can create our own
cp
& pwn the machine.
i made in
/tmp
now let's add our
/tmp
to our path variable
--------------- ROOT FLAG
Last updated