poniedziałek, 5 września 2016

Bitbot CTF

In the middle of the other activities and projects, I decide to sit down for a while and check another CTF. This time I decided to try Bitbot. Found again on VulnHub – thank you guys. Also big thanks for the author (bwall) for preparing this game! So… Let’s get to work.

After a quick scan, you will find that the most interesting port probably will be the HTTP here, port 80:


Ok, let’s check it. Maybe we can find something interesting on the webpage:

Cool, but after visiting this link, we will find an error page: 
First idea was to check the structure of the WWW. To make it fast, I used dirb (installed as a default on Kali Linux). Some results below:

Here we have 2 (interesting) locations. Directory /bot/ (results with 403 code) and admin.php. Let’s check the second one:

Ok, so here we have an admin panel… as you probably already know, vulnerable to SQL injection. To verify it, we will grab a login request (Burp) and set it as an input for sqlmap:

Now save it to txt file and run sqlmap with –r parameter:

Unfortunately – (as far) no. ;) What’s next?
I decide to think again. Everything was ok, I found 3 potential ways (read: open ports). Good. I decide to choose one service – http; should be ‘the most interesting’. And that’s how I stucked. Ok, so let’s back to the webpage again. In your Kali box, in the directory of dirb (/usr/share/) you will also find a nice list of different files prepared as an input for your dirb scans during some web pentests:

After checking few of them I found few other interesting locations. Log seems to be bigger this time:

Let’s find out if there are only false positives or we can use some of the results. Unfortunately I couldn’t find anything interesting (or useful) but after googling for a while I found that @botnet_hunter already wrote an exploit for the vulnerability found in Bitbot:

Now we can use the code or re-write it to use for our purpose. Let’s try the hard way ;)

Quick verification (via sqlmap):

And indeed, gate2.php is vulnerable to SQL injection attack:  

Ok, so we can run sqlmap with –sql-shell parameter:

Cool! ;] Maybe we can read some files via SQL injection? Quick verification with sqlmap again (loading /etc/passwd):

Great! Reading files is possible. Now we are able to read the source of admin.php:

… oh yes, we’ve found the admin’s password! ;)

Can we log in?

Yes, we can ;] So far, so good. After spending some time to analyze how can I upload a shell there, I figureout that if we can run local server to host a “backdoor” file (webshell) we can obtain a remote shell on the bot’s machine. As you can see, there are few commands to use. We will try with DOWN(load) of course. Prepare your favorite backdoor (or reverse-shell in python ), run a local HTTP server and wait with netcat in other window:

Now, “Add” (run) a command to the bot. Before that, one important thing. I was wondering why I can not see any traffic from the bot to my (netcat) machine. As you can see on the screen, status of the bot is ‘Offline’. I don’t know why it was like that on a first place, but I was able to run a shell after a restart of the whole VM. Then the status was again ‘Online’ (and now, attack was possible).

Python server received a connection from the bot:

On the other window we can see connection from the bot (with reverse shell):


Cool. In the /home/botter/ directory, we will find a script to prepare a root’s password. Let’s see it:

It should be simple. We need to ‘generate’ possible password(s) in the same way:

After our file is prepared we can start now a bruteforce process to grab root’s password:

And finally... 

The last thing is to check if this is a real root password:

Looks like a game over. 

Again big thanks for bwall for preparing this CTF!
If you want more, find them here.

See you next time! ;)

Brak komentarzy:

Prześlij komentarz