H.A.S.T.E 1: CTF walkthrough
Note, if you want to learn more about windows exploit development you can read the ch3rn0byl’s blog: here.
Name: H.A.S.T.E: 1
Date release: 13 Sep 2017
Web page: https://securityshards.wordpress.com/2017/09/13/new-h-a-s-t-e-hacking-challenge/
Aim: get any kind of shell in the system.
We can find the IP address of the system with arp-scan.
Nmap find only one port open, the port 80.
That will be a full web CTF.
With a quick enumeration of the structure of the website we can find an SSI page where an ls command is executed and different pages with the .shtml extension. If you google shtml on google you will find interesting documents and one attack vector.
Due to a non sanitised input in the HTTP form we can execute commands on the system.
Note, the normal way to execute a command with SSI injection is to use the exec keyword instead of EXEC but after few try the exec string seems to be remove after the form validation, in the PHP page.
From RCE to reverse shell
As usual, we generate a reverse shell with msfvenom.
Then, we upload the reverse shell into the system.
We configure our meterpreter listener.
We change the permission and we execute the reverse shell.