niedziela, 22 maja 2016

Seattle v0.3 CTF writeup

You should check the Seattle v0.3 CTF - it is another great VM this time from GracefulSecurity.
(I found it few weeks ago on and now it was a time to do it.) It was again great
pleasure and a lot of fun. Thanks!

So, after quick nmap...

... we can see that there is a nice WWW:

...and (as it was looking like an e-commerce/shop I was wondering if) there is "some kind of SQL Injection". Now, to be honest, I had a one problem here with sqlmap. I couldn't run it against normal URL, I mean it was possible (in my case) only when I started it like this: sqlmap -r req.txt --level 5 --risk 3. I decided to use sqlmap with -r parameter, because I couldn't find a way to run it against any 'normal' (simple GET from CLI) request I found.

Full request (req.txt) looks like this:

 Now we can be sure that this webpage is vulnerable:

Running sqlmap with --passwords param gives us:

Oh, how nice. :) But there still no shell access (ssh) so let's find out, what we can do now. I saw 'My Account' page on our Seattle web server, so (as we already have access to DB), I was wondering maybe there is some other (that root) account (and password), maybe e-commerce users...

In deed, there is - admin's :)

 Cool, checking:

Oh, thanks.

What's next?


So level2 I will leave for you as an exercise. ;)

Brak komentarzy:

Prześlij komentarz