We will start from netdiscover this time ;)
After a while we should get an output file from nmap - results from our scan, below:
Kali (you can download it here if you still don't have it ;)):
not much. I was wondering if I'll get the blank output from the other results - just checking:
Next, as you can see, we can do *a lot off* interesting things on this webpage, for example:
Cool, isn't it? ;>
After I spend some time (bruteforcing the password, trying to inject some weird strings in the loginform and using other and other dir[s].txt from the /usr/share/wordlists/ directory) I found that maybe I doing something wrong. I tried dirb again, like this:
I realised that in the output of nikto we've found "config.php" file :)
But after I tried to GET it like a normal URL file, there was (oh wow;]) no chance to read it. ;)
So I decide to use one trick I used in other CTF, to scan webroot of that webapp again.
And then I found my precious:
Checking (base64 -d ):
Thank you Santa.
Ok, more details:
Cool, looks like a base64. I will use Burp Suite to "decode" that strings from pass column. Here we go:
Checking credentials, aaaand...
Challenge accepted ;>
I decided to prepare a shell script (using msfvenom) to generate payload(s) for our reverse-shell. To use it, in 2nd console window I prepared a meterpreter to catch the connection to our Kali host:
Hm... yeah - venome.sh - it is a simple script in bash I created to automate a bit generating of msf-based reverse shells... maybe you will find it useful. ;) So, let's try to upload our new photo-file :)
Ok, cool. Checking:
Time for some recon:
And we landed here:
:) So I tried to su to other user(s found during SQL journey;)):
And I found:
Ok, so it looks like we need to update the PATH :)
Still no access... Checking:
Still no access... Next:
I must admit that it was a very interesting CTF.
Kudos for @Claor for preparing the game! Big thanks also goes to VulnHub for hosting.
See you next time! ;)