City (Информационный портал УК City)

standoff365

Task: Standalone machine with Bludit CMS 3.9.2 information portal, 6 flags total. Solution: CVE-2019-17240 brute-force bypass via X-Forwarded-For rotation, CVE-2019-16113 directory traversal upload for RCE, cap_setuid on python3.9 for LPE to root, cron-based defacement trigger for UE.

sqli brute_force ssrf rce path_traversal php file_upload webshell cron apache linux_capabilities cap_setuid vsftpd cms bludit cve-2019-17240 cve-2019-16113 lpe defacement mariadb

brute_force_bypass_xffdirectory_traversal_uploadphp_webshell_uploadcapability_setuid_privescmysql_skip_sslcron_defacement_triggersuid_binary_execution

$ ls tags/ techniques/

sqli brute_force ssrf rce path_traversal php file_upload webshell cron apache linux_capabilities cap_setuid vsftpd cms bludit cve-2019-17240 cve-2019-16113 lpe defacement mariadb

brute_force_bypass_xffdirectory_traversal_uploadphp_webshell_uploadcapability_setuid_privescmysql_skip_sslcron_defacement_triggersuid_binary_execution

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[infra][Pro]Подземелье (Dungeon)— hackerlab
[web][Pro]Странный сервер (Strange Server)— hackerlab
[infra][Pro]Скрипт-кидди (Script-kiddie)— hackerlab
[infra][Pro]SREga CTF — 8-Level SRE Challenge— srega
[infra][free]Reactor— hackthebox