Today we will take a look at TryHackMe: Road. Please try to understand each step and take notes. This time, our machine has an Application Logic vulnerability. We can access the admin panel by making small changes to the outgoing request.
First of all, let’s look at the necessary information on the website.
We found an email address extension, let’s save it.
When we press the Merchant central button, we are greeted by a panel. Let’s register.
When you want to upload a reverse shell to a profile photo from the settings section, we see that it will only be possible by the admin.
When we check other sections, we see the password change section.
Let’s change our password and track traffic with burp.
We know the admin email address. Why not check?
And booom. Password changed. Let’s check
Let’s check to get reverse shell
Let’s take a look at the answer that comes with Burp.
We found the directory. It’s time to get the reverse shell
The first thing I do when I get a shell is check the gcc. If the target machine is running, I run CVE-2021–4034 (pwnkit) vulnerability. But of course you can find another way as linpeas.sh or manually.
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”