niedziela, 11 września 2016

6Days Lab CTF

Friend of mine asked me if I know this CTF. I decided to check it during the weekened. Below quick review...

As far as I'm playing (and publishing) some notes from CTF, during this one, SQL injection was very interesting in my opinion. Connecting it with other vulnerability - very cool move. ;)

Thanks for the author for preparing such a cool CTF and for Vulnhub for hosting. :)

Let's get to work.

All needed details about the VM you will find here:


When machine was booting I connected via ssh to my KaliBox, logged as root and started netdiscovery. CTF machine this time was on Let's scan it:

Ok, we will check web first.

I was wondering maybe I will find something nice with Burp but for most of times I've got only:

Ok, nice. What's next? Maybe dirb to find some cool/hidden directories?

Yeah, but after a while I was blocked (usually at '/server' request during those dir-scans).

Ok, so I decided to check another requests from Burp: /image.php:

I was wondering maybe we can find RFI or LFI here:

Seems that we can! :) Let's check now for some other possible files we can get here:

Looks like this one will be very interesting :D

Let's dig deeper, check config.php:

Great, looks like we also have a login, password and DB name. Let's go deeper. Checking Apache's files:

Ok. I used "promocode" request as an input for sqlmap but nothings happened. I played a little bit with --level and --risk parameters but there were no interesting results... Back to Burp to check, maybe I missed something. When I tried request like:

Response was:

Ok. Let's change few things here:

Now response is empty:

Ok, so somethings going on there. I took that as an indicator of (union based) sql injection. With some basic bypass attacks you should be able to prepare a working payload (you already got the source, so)... still nothing. I was wondering what am I doing wrong...

After a while I decide to go back to LFI bug, and check one thing. When I was reading (vm's) ports.conf (as well as you can observe that in /img/ directory on web) you will find that there is an (local) open port for HTTP - 8080. Let's try if we can do a GET to http://localhost:8080/ via LFI:

Sure, so I decide to use it again. This time with our SQL injection:

Working payload should looks like (1). After encoding it (for bypass purposes) you will get (2). Change it a little bit again, and you payload (3). You will find that:

All right! Let's check if it's working:

Great, we've got a shell! But wait. Are you sure?

Hm... Let's go back to our LFI example, and find out what shell andrea is referred to:

Aha. So this is the reason... But I saw that there is some python-error message. I was wondering how can I exit from that (probably) "python"-shell to normal shell. I've done that like this:

Unfortunately it gave me nothing. I figure out that some time ago I was reading about cool one-liners to use during pentests. Few examples in various languages you can find on PentestMonkey (thanks!). 

Let's try again:

And now I see ("the light" ;) and finally) some output from commands. 

Let's check for kernel version (uname -a), maybe there is already some known vulnerability and we can quickly get root:

Ok, let's try here:

Looks like this one should be good:

Let's run it now:

Yes. :) 

I must say that again that it was a really good adventure and I really liked that CTF.
Big thanks for preparing the game goes to the author (CanYouPwn.Me). 


4 komentarze:

  1. Hey, thanks for posting this. How did you know to look for the username,password from fancydb.users and it would be the same for the OS?

    1. Hi,

      afaik you can use some enumeration for common user/password-table names. Then you should find it.

      Thanks for watching. :)

  2. Thanks for posting this!
    How did you know that the users in the fancydb.users would work in ssh?

    1. Hi Peri,

      just trying. If not via the door - try window. ;)

      Thanks for watching.