Patato - OffSec Proving Grounds

Objective

Employ enumeration and web enumeration techniques to identify vulnerabilities. Engage in PHP type juggling for authentication bypass and implement methods for exploiting LFI. Additionally, utilize password cracking and harness privilege escalation strategies along with the abuse of sudo permissions to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation.

Enumeration

Nmap

Initial Nmap enumeration revealed open SSH and HTTP ports, along with an unusual FTP port.

00 - nmap output

WEB Enumeration

Subsequently, Dirb was used to discover an admin login page. Additionally, an admin logs page was found, which disclosed the username ‘admin’.

01 - website

02 - LOG user admin

Anonymous FTP login was enabled on the unusual port, allowing access to a backup file named index.php.bak. This file contained the login code with a hardcoded username and password. While the password itself was not known, the logic was vulnerable to PHP type juggling, which was exploited to bypass authentication.

03 - FTP anon login

04 - index php

Exploitation

PHP Type Juggling

An explanation of the PHP type juggling vulnerability can be found in the images below.

05 - bug explanation1

05 - bug explanation2

By applying the type juggling logic—where passing an array to strcmp() results in an error that returns false, which is then treated as 0—we were able to bypass authentication and access the dashboard. Additionally, the user’s password was exposed in plaintext within a cookie.

06 - got the password

07 - dashboard

Path Traversal

Within the admin dashboard, the log page included a file_name parameter that was vulnerable to a path traversal attack. Exploiting this allowed access to sensitive files, such as /etc/passwd.

08 - log page