As far as I'm playing (and publishing) some notes from CTF, during this one, SQL injection was very interesting in my opinion. Connecting it with other vulnerability - very cool move. ;)
Thanks for the author for preparing such a cool CTF and for Vulnhub for hosting. :)
Let's get to work.
All needed details about the VM you will find here:
When machine was booting I connected via ssh to my KaliBox, logged as root and started netdiscovery. CTF machine this time was on 192.168.56.109. Let's scan it:
Ok, we will check web first.
I was wondering maybe I will find something nice with Burp but for most of times I've got only:
Ok, nice. What's next? Maybe dirb to find some cool/hidden directories?
Yeah, but after a while I was blocked (usually at '/server' request during those dir-scans).
Ok, so I decided to check another requests from Burp: /image.php:
I was wondering maybe we can find RFI or LFI here:
Seems that we can! :) Let's check now for some other possible files we can get here:
Looks like this one will be very interesting :D
Let's dig deeper, check config.php:
Great, looks like we also have a login, password and DB name. Let's go deeper. Checking Apache's files:
Ok. I used "promocode" request as an input for sqlmap but nothings happened. I played a little bit with --level and --risk parameters but there were no interesting results... Back to Burp to check, maybe I missed something. When I tried request like:
Ok. Let's change few things here:
Now response is empty:
Ok, so somethings going on there. I took that as an indicator of (union based) sql injection. With some basic bypass attacks you should be able to prepare a working payload (you already got the source, so)... still nothing. I was wondering what am I doing wrong...
After a while I decide to go back to LFI bug, and check one thing. When I was reading (vm's) ports.conf (as well as you can observe that in /img/ directory on web) you will find that there is an (local) open port for HTTP - 8080. Let's try if we can do a GET to http://localhost:8080/ via LFI:
Sure, so I decide to use it again. This time with our SQL injection:
Working payload should looks like (1). After encoding it (for bypass purposes) you will get (2). Change it a little bit again, and you payload (3). You will find that:
All right! Let's check if it's working:
Great, we've got a shell! But wait. Are you sure?
Hm... Let's go back to our LFI example, and find out what shell andrea is referred to:
Aha. So this is the reason... But I saw that there is some python-error message. I was wondering how can I exit from that (probably) "python"-shell to normal shell. I've done that like this:
Unfortunately it gave me nothing. I figure out that some time ago I was reading about cool one-liners to use during pentests. Few examples in various languages you can find on PentestMonkey (thanks!).
Let's try again:
And now I see ("the light" ;) and finally) some output from commands.
Let's check for kernel version (uname -a), maybe there is already some known vulnerability and we can quickly get root:
Ok, let's try here:
Looks like this one should be good:
Let's run it now:
I must say that again that it was a really good adventure and I really liked that CTF.
Big thanks for preparing the game goes to the author (CanYouPwn.Me).