Zorz - CTF

When Quaoar CTF was finished I decided to try another one - this time I tried ZorZ CTF prepared by TopHatSec. Thank to VulnHub you can find this machine available here. Here we go...

When few findings from standard fingerprint checks was already logged on the disk I decided to check them one by one to find some interesting hints of 'how to hack this box'... nmap and little dirbusting should be enough for the beginning:

When I saw a possibility of file-upload I decided to play with it using Burp:

Unfortunately response was pretty similar to the one below:

Trying harder... ;]

Response now looks like this:

Cool ;] In the middle of time I found few more interesting directories, so I decided to try to upload file from up1-file to up2-dir... ;) After a while I've got:

 Ok, checking:

At this stage I found another nice place to check:

This time uploader was preparet differently (again;)). Checking (and mixing with up2dir;)):

I like this response:

;]

Checking if there was a real upload ;)

Checking:

Looking around and we found new directory - not found during dirb scan(s):

Checking:

Ok, nice ;] So I believe it's the 'game over' for this one. ;]

Bit thanks goes to TopHatSec for preparing this game and to the VulnHub Team for providing CTFs:)

See you next time ;]


Cheers
 o/