[web-4] Remote code execution (RCE) on shop.edu.stf

Description

Obtain RCE on the host shop.edu.stf (10.124.1.238) through arbitrary file upload.

To get the flag, run the script /home/rceflag.

First, I ran an Nmap scan on the target host

Open Ports: 22, 80

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey: 
|   3072 e7:a7:68:5a:e0:55:db:96:7f:b9:aa:5e:30:72:bf:f8 (RSA)
|   256 1d:75:9d:23:c6:58:40:c1:7d:ec:0f:7b:ff:6f:66:34 (ECDSA)
|_  256 df:54:3c:65:6f:e8:f8:ce:e0:fd:17:87:89:c1:fd:85 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: BCORE Admin Dashboard Template | Login Page
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 328.36 seconds

Next, I ran ffuf scan to enumerate directories

┌──(kali㉿kali)-[~/Downloads]
└─$ ffuf -u <http://shop.edu.stf/FUZZ> -w /usr/share/wordlists/dirb/common.txt         

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://shop.edu.stf/FUZZ>
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

                        [Status: 200, Size: 4118, Words: 875, Lines: 92, Duration: 211ms]
.htpasswd               [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3562ms]
.hta                    [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3563ms]
.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 4557ms]
assets                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 208ms]
db                      [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 206ms]
index.html              [Status: 200, Size: 4118, Words: 875, Lines: 92, Duration: 209ms]
index.php               [Status: 200, Size: 2488, Words: 471, Lines: 68, Duration: 210ms]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 209ms]
:: Progress: [4615/4615] :: Job [1/1] :: 193 req/sec :: Duration: [0:00:27] :: Errors: 0 ::

I discovered several interesting directories, including a hellophones.sql database file on /db containing information about users, products, and other data.

Browsing to the URL, I first landed on the index.html page. When I tried to enter a username or password, or register a user, there was no response.