code16: Bitbot CTF

In the middle of the other activities and projects, I decide to sit down for a while and check another CTF. This time I decided to try Bitbot. Found again on VulnHub – thank you guys. Also big thanks for the author (bwall) for preparing this game! So… Let’s get to work.

After a quick scan, you will find that the most interesting port probably will be the HTTP here, port 80:

Ok, let’s check it. Maybe we can find something interesting on the webpage:

Cool, but after visiting this link, we will find an error page:

First idea was to check the structure of the WWW. To make it fast, I used dirb (installed as a default on Kali Linux). Some results below:

Here we have 2 (interesting) locations. Directory /bot/ (results with 403 code) and admin.php. Let’s check the second one:

Ok, so here we have an admin panel… as you probably already know, vulnerable to SQL injection. To verify it, we will grab a login request (Burp) and set it as an input for sqlmap:

Now save it to txt file and run sqlmap with –r parameter:

Unfortunately – (as far) no. ;) What’s next?

I decide to think again. Everything was ok, I found 3 potential ways (read: open ports). Good. I decide to choose one service – http; should be ‘the most interesting’. And that’s how I stucked. Ok, so let’s back to the webpage again. In your Kali box, in the directory of dirb (/usr/share/) you will also find a nice list of different files prepared as an input for your dirb scans during some web pentests:

After checking few of them I found few other interesting locations. Log seems to be bigger this time:

Let’s find out if there are only false positives or we can use some of the results. Unfortunately I couldn’t find anything interesting (or useful) but after googling for a while I found that @botnet_hunter already wrote an exploit for the vulnerability found in Bitbot:

Now we can use the code or re-write it to use for our purpose. Let’s try the hard way ;)

Quick verification (via sqlmap):

And indeed, gate2.php is vulnerable to SQL injection attack:

Ok, so we can run sqlmap with –sql-shell parameter:

Cool! ;] Maybe we can read some files via SQL injection? Quick verification with sqlmap again (loading /etc/passwd):

Great! Reading files is possible. Now we are able to read the source of admin.php:

… oh yes, we’ve found the admin’s password! ;)

Can we log in?

Yes, we can ;] So far, so good. After spending some time to analyze how can I upload a shell there, I figureout that if we can run local server to host a “backdoor” file (webshell) we can obtain a remote shell on the bot’s machine. As you can see, there are few commands to use. We will try with DOWN(load) of course. Prepare your favorite backdoor (or reverse-shell in python ), run a local HTTP server and wait with netcat in other window:

Now, “Add” (run) a command to the bot. Before that, one important thing. I was wondering why I can not see any traffic from the bot to my (netcat) machine. As you can see on the screen, status of the bot is ‘Offline’. I don’t know why it was like that on a first place, but I was able to run a shell after a restart of the whole VM. Then the status was again ‘Online’ (and now, attack was possible).