niedziela, 24 czerwca 2018

De-ICE: S1.140 - CTF

In the middle of time I was playing another cool CTF hosted by VulnHub. This time I decided to try De-ICE: S1.140 prepared for the series called ... De-ICE ;] Here we go...

I started - as usual - from the scan of the machine. Nmap (used to do that) presented results like those from the screen below:

Let's start from the beginning - checking FTP server:

Ok, cool. So we have a 'ftp-access' (but as you can see, telnet was not the best idea; I installed ftp client - console version). On 2nd terminal I decided to start checking possible directories/files on remote HTTP ports (80 as well as 443). Results you will find below:

Let's check those results in the browser:

Great, looks like we have a forum ;] After reading some of the post available for guest(s)...

... I was able to collect some of the usernames and some 'interesting content' - you'll see below:

Reading the log file reveals something more than just logins...

Ok, let's write it down for the future use. Next I prepared 2 files: one for the users and one for the password(s). See below:


...but after a while I saw the badboy message:

So I decided to go back to results from dirb:

Ok, cool. I even created some test account in the forum but I was never able to log in (no valid email account...). So next thing was checking 'index' file (and some hints "hidden" in the content):

...after mentioned ftp-client was installed I tried to log in (as anonymous user) again (ftp):

As you can see, now we can get some more results than before. Good.

Checking next link from dirb and this is what I've found:



Great, maybe we will use it. After checking results from port 80/tcp I switched to check results from 443 - https. Some details you'll see below:

Good, more dirs to check. Let's do it:

It was a while, but in the end I found 'working user' (remember that you already have some - probably ;] - valid password)... (I tried ssh anyway ;P

) anyway... It wasn't good idea. Checking another one:

Still no luck... I decided to try the same at the forum:

Great, it worked! ;] So now I can grab the email address to check if I'll be able to log in to the webmail:


Great. Let's see what do we have here:

Well... thanks Sandy ;]

...and...Sandy...? ;]

Good. My next idea was: raptor or webshell-via-sql? Unfortunately I was not able to do any-select-into-outfile query ;) so I decided to check what's inside the database(s). For example:


...and more:

Good. We will use it later. Now let's try to crack some of the hashes grabbed here.


Results below:

Good. Let's check where we can reuse those passwords:

Hm... (in the middle of time I tried to use the exploit code available here

but it was not the case this time... :] so... )

Playing with the ftp and 'my current directory':

helped me to find some backup-file, see below:

Good. I tried to unlock the file with the passwords I found before but without any luck. After a while I found another interesting directory - .ssh ;]

Let's check if we can use those file somehow:

Yes we can ;]

Great, what's next? After a while I found some more passwords:

Good. Moment later I decided to switch to another user. Surprisingly it worked as well:

Good. So now I was able to access the content of /opt/ file. This is what I found inside:

Great. Let's try to reverse that process to grab the content of the backup archive (when I was trying to do it in Kali there was an error. Solution I've found you'll see on the screen below):

Now it was easier:

I found very interesting content inside the unpacked archive, for example passwd and shadow files ;)

So far so good. Now it's time to crack the shadow...

Unfortunately I wasn't able to crack those passwords with rockyou.txt and this is how I found that resourses:

Using password files available there I was able to crack the shadow file, see below:

Good. Let's check it now.

Looks like we got it ;]

I downloaded 'secret' file to my Kali box to check it and I found:

I must admit that it was very cool CTF. I think this machine was a good start for the whole series ;]

Big thanks for De-ICE and VulnHub!


Brak komentarzy:

Prześlij komentarz