[web-6] Remote code execution (RCE) on smashmusic.edu.stf

Description

Obtain RCE on the host smashmusic.edu.stf (10.124.1.241) through unrestricted file upload.

To get the flag, run the script /home/rceflag.

I start by scanning for ports and services using Nmap, and immediately found something interesting.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 40:01:60:a0:6a:6a:3f:11:fa:74:fc:3a:d2:f4:71:40 (RSA)
|   256 c3:f7:5f:f5:77:54:17:c5:ba:07:30:5f:84:89:63:5c (ECDSA)
|_  256 5a:7a:0a:0e:19:35:5a:d1:71:76:b1:2c:6a:79:17:81 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: SmashMusic
| http-robots.txt: 3 disallowed entries 
|_/secret/ /core/ /uploads/
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 357.96 seconds

Next, I ran ffuf to scan for additional directories

┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -u <http://smashmusic.edu.stf/FUZZ> -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt 

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : <http://smashmusic.edu.stf/FUZZ>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

uploads                 [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 208ms]
styles                  [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 219ms]
assets                  [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 219ms]
javascript              [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 208ms]
core                    [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 209ms]
phpmyadmin              [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 215ms]
js                      [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 5019ms]
secret                  [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 209ms]
vendor                  [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 207ms]
server-status           [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 212ms]
:: Progress: [62281/62281] :: Job [1/1] :: 189 req/sec :: Duration: [0:05:37] :: Errors: 0 ::

After exploring the website, I found it was a standard webpage without any notable vulnerabilities or interesting features.

Next, I accessed the secret path that we discovered earlier.

When I clicked on both link, it redirected me back to index.php