czwartek, 8 marca 2018

Kevgir CTF

Just like before I found another nice CTF on VulnHub - this time called Kevgir and prepared by CanYouPwn.Me. Below you will find quick writeup for solving this challenge. Let's go...

When I saw open ports on remote machine I was almost sure that there are multiple way to achieve UID=0. See below to check first results of the scan:

More open ports:

To summarize it a little bit:


So, yeah. Where to start? ;] I decided to look for those WWW(s), this is what I've found:

On the other port was:

And Tomcat7:

Next thing I found was Joomla:
At this stage I decided to check the source code of the page to see if there is a hint about the version:


As you can see 'there was'. :] Going deeper:

When I saw Jenkins I thought maybe some kind of deserialization will be the way here...


Checking:
 
 No luck or maybe I'm missing something... Going back to dirb:


Let's try that phpmyadmin :

Yes, as you will see there is a login/password form. As far as I know, one of the default credentials for PMA in root:toor (or root:root or mysql:mysql... ;]) I didn't believe that it will work but I was logged-in, so:

According to this we have some more information for future attacks. For example, for what is used that g0yg0y-database?
Checking more:
Checking g0yg0y-db:

Password(s) looks to be md5, let's check it:


 ...and...

Good!

As you can see g0yg0y provides some 'vulnerable challenges', probably for practice.

So let's practice ;]

I started from LFI section:

It's working:
Next section I used was Command Injection of course:
Good. Next:

NextI was looking for some write-perms


I found that:
Let's read the config of Joomla, maybe we will later need the password:


Next:

Shell anyone? But where:

'xx' file was created but again I couldn't upload PHP. Sam trick as before and we are here (p2.txt above) - de-base64 for p2.txt file:

Checking:

Checking:


Good :]

Next, let's make it pretty:

 Looking around:

More:

Not much. Let's find something more:


 Maybe it's time to check SMB?

I'm not sure, so I'll stick to one kernel sploit:


Verify the access to /root directory:




I think this is it :]

I'm glad I tried this CTF. It was a pleasure to play it. Big thanks goes to the author - CanYouPwn.Me.

If you're looking for some other challenges you should definitely try the VulnHub.
Bit thanks for hosting!

See you next time...

o/


2 komentarze:

  1. Great post but I was wanting to know if you could write a
    litte more on this subject? I'd be very grateful if
    you could elaborate a little bit further. Thanks!

    OdpowiedzUsuń
  2. Thanks :] It is pretty good CTF VM. If you're looking for more similar cases try #ctf tag on the blog. You will also find cool writeup's on vulnhub.

    Cheers

    OdpowiedzUsuń