When I saw open ports on remote machine I was almost sure that there are multiple way to achieve UID=0. See below to check first results of the scan:
More open ports:
To summarize it a little bit:
So, yeah. Where to start? ;] I decided to look for those WWW(s), this is what I've found:
On the other port was:
And Tomcat7:
Next thing I found was Joomla:
At this stage I decided to check the source code of the page to see if there is a hint about the version:
As you can see 'there was'. :] Going deeper:
When I saw Jenkins I thought maybe some kind of deserialization will be the way here...
Checking:
Let's try that phpmyadmin :
Yes, as you will see there is a login/password form. As far as I know, one of the default credentials for PMA in root:toor (or root:root or mysql:mysql... ;]) I didn't believe that it will work but I was logged-in, so:
According to this we have some more information for future attacks. For example, for what is used that g0yg0y-database?
Checking more:
Checking g0yg0y-db:Password(s) looks to be md5, let's check it:
...and...
Good!
As you can see g0yg0y provides some 'vulnerable challenges', probably for practice.
So let's practice ;]
I started from LFI section:
It's working:
Next section I used was Command Injection of course:
Good. Next:
NextI was looking for some write-perms
I found that:
Let's read the config of Joomla, maybe we will later need the password:
Next:
Shell anyone? But where:
'xx' file was created but again I couldn't upload PHP. Sam trick as before and we are here (p2.txt above) - de-base64 for p2.txt file:
Checking:
Good :]
Next, let's make it pretty:
Looking around:
Not much. Let's find something more:
Maybe it's time to check SMB?
I'm not sure, so I'll stick to one kernel sploit:
Verify the access to /root directory:
I think this is it :]
I'm glad I tried this CTF. It was a pleasure to play it. Big thanks goes to the author - CanYouPwn.Me.
If you're looking for some other challenges you should definitely try the VulnHub.
Bit thanks for hosting!
See you next time...
o/
Great post but I was wanting to know if you could write a
OdpowiedzUsuńlitte more on this subject? I'd be very grateful if
you could elaborate a little bit further. Thanks!
Thanks :] It is pretty good CTF VM. If you're looking for more similar cases try #ctf tag on the blog. You will also find cool writeup's on vulnhub.
OdpowiedzUsuńCheers