Table of Contents
⚠️ writeup wrote months after root so informations are not accurate.
JS source code disclosure to forge internal requests, leak PHP source code with XXE in custom request, get DB credentials. Privesc with code injection in custom code without input validation.
Only HTTP and SSH, nothing special.
We have here a simple web server, with custom SJ script to send bounty tickets. The portal tells us to go to
/log_submit.php, here we have a custom XHR launched towards an internal API
dirb_pr00f314.php. We see that XML is posted here so lets try a classic XXE:
We can leak source code with this, here are the files I got: db.php.
We get credentials:
1<?php 2// TODO -> Implement login system with the database. 3$dbserver = "localhost"; 4$dbname = "bounty"; 5$dbusername = "admin"; 6$dbpassword = "m19RoAU0hP41A1sTsq6K"; 7$testuser = "test"; 8?>
/etc/passwd we got our target, the user
developement. We can SSH eith the
From that we have a local script to validate tickets: ticketValidator.py.
Here we see an obvious code injection vulnerability in a custom ticket:
We cat get root: