Executive Summary

An insecured file upload accessible to anyone with the correct id leads to access to the box. Once on the box, various actions could have been taken, but in this scope just a file was read.

Technical Details

Enumeration

First, the http site is examined and has the prompt of Please enter your ID as a GET parameter (?id=YOUR_ID_HERE). After adding the id provided to us we get the 10.10.88.191/?id=ODIzODI5MTNiYmYw. This leads us to a file upload page.

Initial Foothold

Lets try and upload a reverse php shell from the pentest monkey. There is some-sort of file filtering on the file upload. Lets try and get around that. We copy our reverse shell to a few different file types. HTML JPG PHTML. JPG lets us upload If you inspect the source of the website, you will also see that there is an accept filter on the input. .jpeg, .jpg, .png We have uploaded it and now we need to find out how to hit that file on the webserver.

nmap doesn't provide us much that we dont already know so lets move on to gobuster. Gobuster is returning a strange error about non existing urls. If we use --wildcard we will get overwhelmed with responses, but can dig through them to find as few live endpoints. /assets/ and /uploads/ look promising. /uploads/ has our shell sitting there. Try it! and it failed. We have to go back and use the double barrelled file extension. .jph.php. Reupload our shell. Then, hit that endpoint and we are good to go. We are on the box. We can then access the flag and no further action is needed.

Lateral Movement

Not needed

Priv Esc

Not needed

rank: 1391