Dina CTF

When the Gibson was done I had a time to check another great CTF hosted by VulnHub. This time the game was prepared by Touhid Shaikh - thanks! :] Below you will find few details showing how I solved this challenge. Here we go...
As usual, when machine is ready I decided to scan it (unicornscan) to findout if there is any open port available:

As you can see I also started some dirb scan(s) to look for other/interesting directories. One of them was /robots (or /robots.txt ;]):

Searching through the (found) directories we can see some "backup" file:

Let's grab it:

What about the other dirs? See below:

Unfortunately we need a password to open the backup-file...

In the middle of time I was still lookin on results from dirb. One interesting thing - was "nothing" ;]

So I decided to create a 'small password list' to use it for our backup... Next. checking:

When the file was extracted (and I saw '.mp3') I was 'ready' for something like during the Kvasir CTF

You probably remember this one:

When I was looking again for Sonic Visualiser...

... I saw that our MP3 file is pretty small - this is how I decided to open it first in notepad++ ;]

Checking:

(During the boot, you can grab the user for the future attacks:

We will need it now ;) )

So...? RCE? SQLi? weak password...? Checking...

In the other window I saw (that there is something wrong):

Should I understand the comment first?

Let's try:

:>

Ok, next... During some search at Google to find some more information about the webapp I found the page presented on the screen below:

Ok, so this is opensource webapp ;]

And probably we found some hint (from the author? ;] )

Should it be RCE? Let's try.

According to the original poc, we should be here:

Upload was ok:

Let's modify the upload-request now to check if installed version is vulnerable:

When I did it, the response page was a little bit different:

I decided to read the poc from the author again and this time the filename during request was changed to php-code, see below:

Our response now looks like this:

Cool! :] Let's try something more:

Response:

Great! :] Let's try to list the current directory:

Good... but I need a better shell...

I decided to use base64 to encode the payload (this way I had a better control on the string):

Checking:

Seems to be all right. Time for a PentestMonkey :]

By the way, I tried to list the webroot, next I found 'rwx' on ../uploads directory - in /tmp I could not run the bash-backdoor. Then I tried date>../uploads/DATE (see below):

I also tried to put some bash-backdoor but as you will see later - I never used it ;)

Ready:

The reason I 'never used it':

So I decided that there is no time for that. Let's try something else (checking perms on /uploads/):

Good. Next(read: when I saw that uploading php will not work this time) I decided to use base64 again, like this:

For:

So, as you can see below, we finally have some content:

After few "modifications" of the uploaded file (base64 -d ... and so on...) ...

...we are...

here:

Prepare your netcat now:

We did it! Finally there is a 'better shell' ;]

Let's look around:

Content of the webroot:

Our user's home:

Yeah cool, but I was looking for the root here...

Looks like there is a new root in the town ;]

And we will need some proof (like before;))

This one should be good:

I must say that this was very interesting CTF :) Big thanks goes to the Touhid Shaikh for preparing such cool game and to the VulnHub for hosting all of those machines!

It was a pleasure.

See you next time...  ;]

Cheers

o/