wtorek, 6 listopada 2018

Freshly CTF

This time I decided to check one of the CTFs prepared by TopHatSec and shared here - thanks to VulnHub. Below you will find notes from the journey. Here we go...
When machine was ready I scanned ports using nmap and found 3 ports related to HTTP somehow... Next step was to visit those 'pages' and see if there is any hidden hint. I started from port 80/tcp:

Ok, cool :) At this stage I used dirb to scan webroot of remote host.

After a while of checking wordlists available in Kali (/usr/share/wordlists/) I used rockyou.txt with (-X .php switch) to find new link. The file I was looking for was login.php.

I used Burp to intercept (login) request and copied it to use (raw request) with sqlmap:

 
I was wondering if there are some databases. Scanning with dirb revealed directories like "phpmyadmin", "wordpress" so my first guess was to find Wordpress DB, grab admin's password and drop a shell via Themes (it was probably already described somewhere here).

So I started to listing available DB's:


Cool, there are few interesting places to check. I started from Wordpress, table 'users':



 Nice, checking:


So far, so good. Looks like this is away to our shell ;)

Super obfuscated payload:


;]

And...


Great. :]

Next step was to download small sample generated by venome.sh.


Let's get the file:



Quick setup for Metasploit:


Time to get a shell:



Cool :) We are here:


Next thing I tried was to cat passwd and shadow files. So now we are here:

Do you want to crack it? ;)

I decided to spawn python-shell again:


Then I used credentials (grabbed by sqlmap) to log into PMA panel and grab more passwords. Goal was to check how can I switch to root or candycane user(s from passwd file).

So, we are here:


Looks like this is it ;)


See you next time.

Cheers









(...)
P.S.
Special thanks goes to: 'Ela z Sanoka'!

#eloElu

+

o/








Brak komentarzy:

Prześlij komentarz