When you will get your VM we should be somewhere here:
After quick nmap scan we should see few open ports ready to check:
I decided to start from Redis:
Few more steps to check:
So we are here:
I tried to prepare files for ssh fo upload:
In the mean time I scanned webroot for possible files/dirs to check (using gobuster):
When I saw PMA and Drupal I decided to check them both:
In the mean time I also tried robots.txt:
When I was ready for MSF to load Drupalgeddon poc I decide to try few default passwords for PMA login panel... after a very few... I was logged-in :)
Checking:
No luck, so I moved on to next links/results. Now we landed here:
I decided to check it later (and grab some more passwords):
...and in the mean time, Drupalgedddon2-shell was ready for me:
First guess was to look for more passwords and to look around:
I was wondering if I should use raptor-magic like during the Kvasir CTF. But we are here:
More enumeration...
Mentioned access to DB ('perms', for example creating files):
And now we should be here, checking perms for DB (still trying to run raptor ;))
More enum in the mean time and we got a flag:
Checking redis with nmap's scripts:
Checking perms of files created during redis-attacks:
Cracking passwords from PMA (just in case to use it later):
So I decided it's time for some rebel :
Compiling the source on Kali, sharing compiled file via HTTP with target-VM and:
Cool :)
Big thanks goes to PrismaCSI for preparing this CTF. Also big thanks goes to the VulnHub Team for sharing all of those VMs.
See you next time.
Cheers
Brak komentarzy:
Prześlij komentarz