Логово хакера (Hacker's Lair)

hackerlab

Task: hard pentest quest box. Chain SHA224 magic-hash PHP type-juggling auth bypass, file-upload webshell RCE as www-data, SUID base32 owned by another user for arbitrary file read, then Python library/import-path hijacking against a root cron to escalate to root.

rce php file_upload webshell cron linux ssh suid privilege_escalation base32 type_juggling sha224_magic_hash suid_base32_file_read python_library_hijacking import_path_hijack docker_healthcheck

sha224_magic_hash_type_jugglingphp_source_disclosure_highlight_filewebshell_upload_uploads_fuzzingsuid_base32_arbitrary_file_readpython_module_import_path_hijack_cron_race

$ ls tags/ techniques/

rce php file_upload webshell cron linux ssh suid privilege_escalation base32 type_juggling sha224_magic_hash suid_base32_file_read python_library_hijacking import_path_hijack docker_healthcheck

sha224_magic_hash_type_jugglingphp_source_disclosure_highlight_filewebshell_upload_uploads_fuzzingsuid_base32_arbitrary_file_readpython_module_import_path_hijack_cron_race

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[infra][Pro]Кто там?— hackerlab
[infra][Pro]Секретный кабинет (Secret Cabinet)— hackerlab
[infra][Pro]Подземелье (Dungeon)— hackerlab
[pentest][Pro]Сисадмин (Sysadmin)— hackerlab
[infra][Pro]Черновик (Chernovik)— hackerlab