In the middle of the other activities and projects, I decide to sit down for a while and check another CTF. This time I decided to try Bitbot. Found again on VulnHub – thank you guys. Also big thanks for the author (bwall) for preparing this game! So… Let’s get to work.
After a quick scan, you will find that the most interesting port probably will be the HTTP here, port 80:
Ok, let’s check it. Maybe we can find something interesting on the webpage:
Cool, but after visiting this link, we will find an error page:
First idea was to check the structure of the WWW. To make it fast, I used dirb (installed as a default on Kali Linux). Some results below:
Here we have 2 (interesting) locations. Directory /bot/ (results with 403 code) and admin.php. Let’s check the second one:
Ok, so here we have an admin panel… as you probably already know, vulnerable to SQL injection. To verify it, we will grab a login request (Burp) and set it as an input for sqlmap:
Now save it to txt file and run sqlmap with –r parameter:
Unfortunately – (as far) no. ;) What’s next?
I decide to think again. Everything was ok, I found 3 potential ways (read: open ports). Good. I decide to choose one service – http; should be ‘the most interesting’. And that’s how I stucked. Ok, so let’s back to the webpage again. In your Kali box, in the directory of dirb (/usr/share/) you will also find a nice list of different files prepared as an input for your dirb scans during some web pentests:
After checking few of them I found few other interesting locations. Log seems to be bigger this time:
Let’s find out if there are only false positives or we can use some of the results. Unfortunately I couldn’t find anything interesting (or useful) but after googling for a while I found that @botnet_hunter already wrote an exploit for the vulnerability found in Bitbot:
Now we can use the code or re-write it to use for our purpose. Let’s try the hard way ;)
Quick verification (via sqlmap):
And indeed, gate2.php is vulnerable to SQL injection attack:
Ok, so we can run sqlmap with –sql-shell parameter:
Cool! ;] Maybe we can read some files via SQL injection? Quick verification with sqlmap again (loading /etc/passwd):
Great! Reading files is possible. Now we are able to read the source of admin.php:
… oh yes, we’ve found the admin’s password! ;)
Can we log in?
Yes, we can ;] So far, so good. After spending some time to analyze how can I upload a shell there, I figureout that if we can run local server to host a “backdoor” file (webshell) we can obtain a remote shell on the bot’s machine. As you can see, there are few commands to use. We will try with DOWN(load) of course. Prepare your favorite backdoor (or reverse-shell in python ), run a local HTTP server and wait with netcat in other window:
Now, “Add” (run) a command to the bot. Before that, one important thing. I was wondering why I can not see any traffic from the bot to my (netcat) machine. As you can see on the screen, status of the bot is ‘Offline’. I don’t know why it was like that on a first place, but I was able to run a shell after a restart of the whole VM. Then the status was again ‘Online’ (and now, attack was possible).
Python server received a connection from the bot:
On the other window we can see connection from the bot (with reverse shell):
Cool. In the /home/botter/ directory, we will find a script to prepare a root’s password. Let’s see it:
It should be simple. We need to ‘generate’ possible password(s) in the same way:
After our file is prepared we can start now a bruteforce process to grab root’s password:
The last thing is to check if this is a real root password:
Looks like a game over.
Again big thanks for bwall for preparing this CTF!
If you want more, find them here.
See you next time! ;)