boxes writeups


(Iamforgettable) #22

Just knocked over HIGINI if anyone is interested.
This is basically the approach I took step by step:

  1. nmap -> find ports 22+80
  2. View source -> find creds ‘test’ and ‘test’. Enter creds but they don’t go far. Some page called ‘expenses.php’ which doesn’t exist (useful later :slight_smile: )
  1. Hit up ‘/robots.txt’. Find /dev.
  2. Download pages -> note obvious LFI from the ‘users’ cookie. Guess that the same pages in /dev are available in /. Test with …/…/…/…/etc/passwd as the user cookie and the LFI works
  1. Using the path /proc/self/fd/2 shows the error log. Note the instance of the ‘referer’ header being written out - particularly when the expenses.php file can’t be found
  1. Login in again but this time polluting the referer header with the <?php echo('thisworks!'); system($_GET['cmd']); ?> string set.
  2. Reroll the 5th step - note the ‘thisworks!’ string being printed.
  3. Passing in cmd=ls as the query yields RCE.

DB credentials can be found at this point.
Don’t see obvious privesc yet.


I’m glad you gave 0 fucks about the 2 comments above.

(Iamforgettable) #24

And the one above this.

On reflection @pry0cc makes a good point:

The forum is a place for discussion, perhaps writeups, how you did it, or one or two issues you may be facing. But a conversation about breaking it, that is a job for the IRC.

My post was a writeup, how I did it, and one issue I may be facing.

It was NOT/NOT a conversation about breaking it.

Personally, I found the spoiler tag really useful. Not a feature you get in IRC land.


Looks like you got tired in the middle of @pry0cc’s point.

3-5 sentences are nowhere close to a write-up. Even if that was a “write-up”, go ahead and make a separate post about it.

Behave and don’t embarass yourself please.


Please, lock this thread xD


(system) #28

(voldie) #29

Just wanted to give you guys a heads up it appears they now offer a pretty badass looking premium course