Another day, another challenge.
Today’s challenge is #8 from the OWASP Hackademic Challenge.
Below is the scenario:
You have managed, after several tries, to install a backdoor shell (Locus7Shell) to trytohack.gr
The problem is that, in order to execute the majority of the commands (on the machine running the backdoor) you must have super-user rights (root).
Your aim is to obtain root rights.
Clicking on the link we see the following:
Doing a right click and “view page source” the following screen appears:
Looking at the input box, it seems that we can use bash commands to query what’s on the file system.
Typing in “ls” (list) we see the following:
the b64.txt file looks interesting… let’s open this file to see what’s inside…
Looking at the file there’s encoding. Taking a wild guess the encoding is base 64 (the file gave it away).
Going to Google and typing “base 64 decoder” we get the following link.
Putting the encoding from the base64.txt file into the decoder we get the following:
We found the username and password, yay!!!
Going back to the challenge and entering the command su (switch user) we’re prompted with the username and password.
Entering what we found in the last screen we get the following:
We’re now running the application as root (we can see that in the red text, and a congratulations at the bottom)
Once again we looked at the page source, and really didn’t find a lot of information. We did notice that we could enter bash commands and the application would interpret it.
Doing a “ls” we noticed a file on the file system. Going to said file we noticed that it was encoded. Doing a quick Google search we were able to decode the encoding and find the username and password.
A fix for this application would be to not include sensitive files on the file system for users to access. The encoding was trying to do security through obscurity – which doesn’t work. Another fix would be to not allow the user to elevate their privileges (going from a normal user to a admin root user).