wtorek, 8 stycznia 2019

Depth CTF

This time we will try Depth CTF prepared by Dan Lawson (available here thanks to the VulnHub). Here we go...
Your machine can be found here:

After my (nmap) scan there was only one TCP port open:

As you can see at the background I visited the page and there was some kind of a 'default Tomcat' webpage... So (obviously;]) I tried to 'enumerate' admin/manager's panel ;)

After a while (in other console window) I saw some weird results from gobuster:

I decided to stop all 'web scans' and check how can I access /manager/ link... I tried rockyou.txt as well as few other wordlists and in the meantime I decided to change a bit my 'webapp scanning criteria' and (stilll using gobuster) I added 'extension parameter', like this:

That's how I found new link to try. Checking:

Uh. ;] Let's try some 'ls', let's say... null-command?

Cool. ;] Next:

 Still no:




Ok, let's try this 'ls' at last ;]

Better. ;]


This was not the 'result' I was looking for... Any hints?

I tried to download 'some file' (read: my meterpreter) as you can see below but it was still with size 0:

I wasn't sure what's the problem. I tried some ps and some other linux-commands to enumerate the OS a little bit more.  I also tried to get some 'reverse shell' of course ;] one of the command I used was ssh (CLI client from OpenSSH). And...

So it looks like we can connect to ssh locally and use sudo ;>

What can we do with the hint like that? Maybe some 'Master Development'? ;]

Sure - but I still can not connect to my next system... ;] So I was (again) wondering what's going on...

After a while I knew it! "Let's flush the firewall!" Great idea, so I used: iptables -F (with my ssh chain command) and...

... that's how I needed to restore the whole machine because VM was unable to response. ;]

So - reset. And we are back again, here:


And we are inside the shell of our friend from /home directory (you will find it during your enum).

I decided to check if sudo is still working (with the same behaviour) inside this shell:

Sure. ;]

Big thanks goes to the author for preparing Depth 1 CTF.
Also big thanks to VulnHub Team for sharing.

See you next time. ;)



Brak komentarzy:

Prześlij komentarz