PwnLab: init - CTF

Hi. It's been a while since I tried to play CTF's so below you'll find a quick review for the one I found one time at VulnHub. Let's do it...

We will start from netdiscover this time ;)

  

As you probably remember, sometimes I like to scan the VM box ;] Let's do it this time too:

 After a while we should get an output file from nmap - results from our scan, below:

 

Checking webapp:

Like you see - upload should be a good place to check:

 

Ok, maybe we will need it lated. Let's try to scan the box with some command-line tools available on Kali (you can download it here if you still don't have it ;)):

Ok, nice. We have some more files/dirs to check now. Interestingly, there is a 'config.php'... but maybe it's a false-positive...;S

Checking:

not much. I was wondering if I'll get the blank output from the other results - just checking:

Ok, good.

Next, as you can see, we can do *a lot off* interesting things on this webpage, for example:

Cool, isn't it? ;>

After I spend some time (bruteforcing the password, trying to inject some weird strings in the loginform and using other and other dir[s].txt from the /usr/share/wordlists/ directory) I found that maybe I doing something wrong. I tried dirb again, like this:

I realised that in the output of nikto we've found "config.php" file :)

But after I tried to GET it like a normal URL file, there was (oh wow;]) no chance to read it. ;)

So I decide to use one trick I used in other CTF, to scan webroot of that webapp again.

And then I found my precious:

Checking (base64 -d ):

Thank you Santa.

Checking:

Details:

;>

Ok, more details:

Cool, looks like a base64. I will use Burp Suite to "decode" that strings from pass column. Here we go:

Checking credentials, aaaand...

Checking:

Challenge accepted ;>

I decided to prepare a shell script (using msfvenom) to generate payload(s) for our reverse-shell. To use it, in 2nd console window I prepared a meterpreter to catch the connection to our Kali host:

 Now, preparing our file to upload:

Hm... yeah - venome.sh - it is a simple script in bash I created to automate a bit generating of msf-based reverse shells... maybe you will find it useful. ;) So, let's try to upload our new photo-file :)

Checking the source:

Unfortunately I wasn't able to access the file (to run it in our meterpreter in Kali), so I decided to get back to the LFI bug and read (base64 -d(ecoded)) source files:

More:

Ok, cool. Checking:

Great :)

Time for some recon:

And we landed here:

:) So I tried to su to other user(s found during SQL journey;)):

And I found:

Checking:

  

Ok, so it looks like we need to update the PATH :)

Checking:

Still no access... Checking:

Still no access... Next:

Good!

So:

Great! :)

I must admit that it was a very interesting CTF.

Kudos for @Claor for preparing the game! Big thanks also goes to VulnHub for hosting.

See you next time! ;)


Cheers
o/