wtorek, 14 sierpnia 2018

PwnLab: init - CTF

Hi. It's been a while since I tried to play CTF's so below you'll find a quick review for the one I found one time at VulnHub. Let's do it...

We will start from netdiscover this time ;)

  

As you probably remember, sometimes I like to scan the VM box ;] Let's do it this time too:


 After a while we should get an output file from nmap - results from our scan, below:


Checking webapp:


Like you see - upload should be a good place to check:

 
Ok, maybe we will need it lated. Let's try to scan the box with some command-line tools available on Kali (you can download it here if you still don't have it ;)):

Ok, nice. We have some more files/dirs to check now. Interestingly, there is a 'config.php'... but maybe it's a false-positive...;S

Checking:



not much. I was wondering if I'll get the blank output from the other results - just checking:

Ok, good.

Next, as you can see, we can do *a lot off* interesting things on this webpage, for example:


Cool, isn't it? ;>

After I spend some time (bruteforcing the password, trying to inject some weird strings in the loginform and using other and other dir[s].txt from the /usr/share/wordlists/ directory) I found that maybe I doing something wrong. I tried dirb again, like this:



I realised that in the output of nikto we've found "config.php" file :)

But after I tried to GET it like a normal URL file, there was (oh wow;]) no chance to read it. ;)

So I decide to use one trick I used in other CTF, to scan webroot of that webapp again.

And then I found my precious:


Checking (base64 -d ):


Thank you Santa.

Checking:



Details:


;>

Ok, more details:


Cool, looks like a base64. I will use Burp Suite to "decode" that strings from pass column. Here we go:



Checking credentials, aaaand...


Checking:


Challenge accepted ;>

I decided to prepare a shell script (using msfvenom) to generate payload(s) for our reverse-shell. To use it, in 2nd console window I prepared a meterpreter to catch the connection to our Kali host:


 Now, preparing our file to upload:


Hm... yeah - venome.sh - it is a simple script in bash I created to automate a bit generating of msf-based reverse shells... maybe you will find it useful. ;) So, let's try to upload our new photo-file :)

Checking the source:

Unfortunately I wasn't able to access the file (to run it in our meterpreter in Kali), so I decided to get back to the LFI bug and read (base64 -d(ecoded)) source files:


More:


Ok, cool. Checking:


Great :)

Time for some recon:


And we landed here:



:) So I tried to su to other user(s found during SQL journey;)):


And I found:


Checking:

  

Ok, so it looks like we need to update the PATH :)

Checking:



Still no access... Checking:


Still no access... Next:


Good!


So:



Great! :)

I must admit that it was a very interesting CTF.

Kudos for @Claor for preparing the game! Big thanks also goes to VulnHub for hosting.

See you next time! ;)


Cheers
o/



 

Brak komentarzy:

Prześlij komentarz