piątek, 28 grudnia 2018

Command Injection - CTF

Below you will find few details about the CTF prepared by PentesterAcademy. Here we go...


Thank's to the VulnHub we can find the VM here.

We should be here:


Cool, it seems we already have some users to try if needed ;)

When my nmap scan was still in progress I saw that there are few HTTP ports, for example:


Version was so new that I decided to check it at Google, maybe there are already published exploits/bugs. In the mean time I found another interesting 'case':


...but maybe we'll back to that later... I found that there are some poc's already available (for example for Metasploit) so I decided to check it:


...and then, nmap was ready:


Some potential here? ;]

"The way I see it":

- when nmap was not ready and I found that Zenoss I was wondering if there is any 'default password list'
- I tried: admin, zenoss, password, and so on...
- and one of the passwords I tried was good to log in as admin :)



...then I found the default password in MSF module... ;>

Anyway...


Ok, that was fast ;]

Quick revert to $python -c 'import pty;pty.spawn("/bin/bash")' and we are here:


 I was wondering if this can be any faster:


(hey, remember the nmap-log?) After a while I found that there is Splunk :) So next thing was to check perms:


Cool. Next thing for me was to find some information about 'how to build a proper Splunk App' to upload my shell... I found few interesting cases described online (for example: here, here or here).  

After the lecture I decided to prepare 'my own app' (tldr: I tried the poc from Msf but I could not get reverse shell so the only 'way' was to read the source of example apps - and mine app - and prepare correct app to upload;))


Still no revshell :C

I tried to rewrite my super app again and upload it (again...):



Ok, new error during the upload... After a while I saw next one 'your flash is not up to date, Splunk will not run'. So I decided to run IExplore.exe and go to the upload page again ;>



Console-output like in old telnets ;D Cool ;)  

Thanks for the CTF goes to: PentesterAcademy
Thanks for the sharing goes to: VulnHub

See you next time.








Brak komentarzy:

Prześlij komentarz