Last updated: 15 Apr 24 09:31:33 (UTC)

Write-Up Potato-1

Potato-1

By Lawcky 09/01/24

Introduction

Boot to Root

Difficulty : easy

Additionnal info :

Name: Potato: 1
Release date: 2 Aug 2020
Author: Florianges
Series: Potato

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • php comparator bypass
  • LFI
  • Hashcat

Write-UP

Login page

we found a login page with what seems to be a php comparator or a sqli

9d546142fe4692b1b83d4b973916e5b0.png

we capture the paquet and transform the password variable to password[]

now the php compares an array to a string and will return a NULL value (php documentation), which will accept the login.

1341d68d09cca1596c5a8c810fac6b6a.png

LFI

we now have access to the dashboard, we catch the paquet that calls on the logs.txt files to try for an LFI of the /etc/passwd file

5bf73bc6804a2c8cce89c28a166a024d.png

401d8182b26f6b50be89d46fee1d1a1c.png

hashcat -m 500 hash ~/tools/seclist/rockyou.txt

6f4a9e1a4ab34b3a5b787d8ad247c148.png

3f4036989ec93c3c2651d6b58f908ffd.png

5580e0fae13e3c9b13027ca49075a23b.png TGUgY29udHLDtGxlIGVzdCDDoCBwZXUgcHLDqHMgYXVzc2kgcsOpZWwgcXXigJl1bmUg first flag found

Privilege Escalation

a3e457662a489f7d2a5630a2198e2353.png

nice is a special bin that basically execute a sh file.

we can try to bypass this by basically using the /notes directory (in which we dont have write permission) and getting out onto another directory like this :

sudo /bin/nice /notes/../tmp/test

with “test” beeing a file i created with /bin/bash inside

735880eae4a2db6cd369c6f385a1a264.png

e74b648e803cfaa244d35d307cf94dc2.png

bGljb3JuZSB1bmlqYW1iaXN0ZSBxdWkgZnVpdCBhdSBib3V0IGTigJl1biBkb3VibGUgYXJjLWVuLWNpZWwuIA==

second flag found

1bcd1b7a9fbac838e71d6a61dd4d3c01.png

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.