ForwardSlash
ForwardSlash
ForwardSlash 239
ForwardSlash
RETIRED MACHINE

ForwardSlash

ForwardSlash - Linux Linux
ForwardSlash - Hard Hard

3.9

MACHINE RATING

2850

USER OWNS

2623

SYSTEM OWNS

04/04/2020

RELEASED
Created by InfoSecJack & chivato

Machine Synopsis

ForwardSlash is a hard Linux machine featuring a compromised server. Through directory busting it is possible to identify a virtual host that points to a backup instance of the website. After registering a new account, an LFI vulnerability is identified through a disabled HTML form. The LFI vulnerability can be used to access the `dev` endpoint, which only allows local connections. The `dev` page accepts XML input and an XXE vulnerability is identified. Successful exploitation of the vulnerability leads to the disclosure of FTP credentials for the user `chiv`. As the credentials have been reused for SSH, it is possible to gain a foothold on the server. A SUID binary is found that attempts to read files whose name is the MD5 hash of the time the binary is run. A symbolic link is created that points to a backup of a PHP configuration, leading to disclosure of credentials for the user `pain`. These new credentials also work with SSH, and the user flag is acquired. Finally a cipher text is found in the user's home directory along with the code used to encrypt it. Upon successful creation of a decryption script, a password is revealed. This can be used to decrypt a `LUKS` image found at `/var/backups/recovery`. The image contains the RSA private key for the `root` account.

Machine Matrix

Ready to start your
hacking journey?