PriviaHub “Icecream” Machine Solution

This article describes the solution steps of the retired machine ‘’ICECREAM’’ on the PriviaHub platform. First of all, scanning has been started to detect the open ports on the machine, current services running on the open ports and operating system. For the scanning process, Nmap has been used and nmap -A <<IP_Address>> -Pn -v command has been executed. -A parameter is a parameter that performs SYN scan, current service version scan, operating system scan and traceroute scan. -Pn parameter is used to scan machines that are closed to PING request.

Because nmap performs a PING scan by default and if the system does not accept ping requests, nmap does not perform any scan to the system and decides that the system is offline. This is because the machines on the PriviaHub platform are inspired by real company networks and many machines on the PriviaHub platform are closed to PING. -v parameter is also used to give detailed information.

As a result of the scanning process, it was found that port 80 is open, “Apache 2.4.39” service is running on this port and operating system is the “Windows Server 2012”.

PriviaHub "Icecream" Machine Solution
Image 1 – Scanning Results

Access to the web application running on the Apache service is provided through the web browser via port 80.

PriviaHub "Icecream" Machine Solution
Image 2 – Web Application

When the “ABOUT” page is accessed via home page, to display content of this page, the path to the page is assigned to a parameter named “file”.

PriviaHub "Icecream" Machine Solution
Image 3 – ”file” Parameter

This assignment takes advantage of the “include()” function of the PHP programming language and the content of all local files to be assigned to the “file” parameter is added to the content of the page named “index.php”. This causes the LFI (Local File Inclusion) vulnerability.

For test purposes, the content of the file named win.ini was successfully displayed by specifying the path “C: \Windows\win.ini”.

PriviaHub "Icecream" Machine Solution
Image 4 – Triggering the LFI Vulnerability

Then, by exploiting the LFI vulnerability, the paths where the flags are located are assigned to the “file” parameter and the flags are displayed on the index.php page.

PriviaHub "Icecream" Machine Solution
Image 5 – Non-PrivFlag
PriviaHub "Icecream" Machine Solution
Image 6 – PrivFlag