Writeup- VULNHUB -Infovore

Enumeration.

let’s start with a simple nmap scan by running nmap -sC -sV -p- <vulnmachineIP>.

this returns an apache web server running on port 80:

reviewing the page source and clicking around the page does not seam to reveal much information, just the title “Include me” that sounds like a hint for Local File Inclusion.

Running dir reveals other files such as info.php, index.php and index.html

the info.php file is directly exposed which gives more info about the target.

i decided to fuzz the index.php parameter to look for ways to pass an LFI, and i got a “filename” endpoint which only seemed allow /etc/passwd

after more such i discovered an exploit on https://raw.githubusercontent.com/M4LV0/LFI-phpinfo-RCE/master/exploit.py.

i changed the IP and port, modified some bits of the exploit such as

and

the exploit successfully returns a reverse a shell. we are in a docker environment and moving to the web directory at /var/www/html inside the user.txt lies our first flag!

we’ll need to extract the .oldkeys.tgz to a separate folder such as tmp, and read its content. it seems to contain a private key which we’ll crack with john.

the cracked key is choclate93. we’ll use this to enter root, in case a password is needed and after navigating inside the folders we get out second flag at root.txt

as we’re now admin on the host system. since we’re now in a docker group, we can abuse this privilege by hosting the host volume to one of the docker containers thus gaining maximum authority over it.

we mount this by : docker run -v /:/mnt/<anyname> -ti imgid /bin/bash.

navigate to the root directory and you’ll find the mounted filesystem and find the last flag at root.txt

…stay curious…