wtorek, 6 listopada 2018

Freshly CTF

This time I decided to check one of the CTFs prepared by TopHatSec and shared here - thanks to VulnHub. Below you will find notes from the journey. Here we go...
When machine was ready I scanned ports using nmap and found 3 ports related to HTTP somehow... Next step was to visit those 'pages' and see if there is any hidden hint. I started from port 80/tcp:

Ok, cool :) At this stage I used dirb to scan webroot of remote host.

After a while of checking wordlists available in Kali (/usr/share/wordlists/) I used rockyou.txt with (-X .php switch) to find new link. The file I was looking for was login.php.

I used Burp to intercept (login) request and copied it to use (raw request) with sqlmap:

I was wondering if there are some databases. Scanning with dirb revealed directories like "phpmyadmin", "wordpress" so my first guess was to find Wordpress DB, grab admin's password and drop a shell via Themes (it was probably already described somewhere here).

So I started to listing available DB's:

Cool, there are few interesting places to check. I started from Wordpress, table 'users':

 Nice, checking:

So far, so good. Looks like this is away to our shell ;)

Super obfuscated payload:



Great. :]

Next step was to download small sample generated by venome.sh.

Let's get the file:

Quick setup for Metasploit:

Time to get a shell:

Cool :) We are here:

Next thing I tried was to cat passwd and shadow files. So now we are here:

Do you want to crack it? ;)

I decided to spawn python-shell again:

Then I used credentials (grabbed by sqlmap) to log into PMA panel and grab more passwords. Goal was to check how can I switch to root or candycane user(s from passwd file).

So, we are here:

Looks like this is it ;)

See you next time.


Special thanks goes to: 'Ela z Sanoka'!




Brak komentarzy:

Prześlij komentarz