piątek, 29 marca 2019

Born2Root 2 CTF

This time I decided to check CTF prepared by Hadi Mene called "Born2Root". Let's find out how to solve it...

We should start here:


Cool, let's find some open ports:

 So:


Ok, checking HTTP:


I tried to check all found resources, one by one:


Next I found Joomla:


I was wondering if I should perform some bruteforce attack here or it will be a bug in some plugin/old version... Checking:


So far, so good. We have a version number. More:


And see... The password is already there xD


Checking:


Next step: go to admin's panel and try to upload a webshell:


(If you want, you can try to modify joomlash.py to check it here ;))



Next:


Let's verify:

Ok, looking around:

I decided to get reverse shell (I used the one from PentestMonkey resources):

Now we are here:


I was looking for some SUID files (like last time ;]):


Nope. So next during OS enum I found Joomla config file with password and new username to check:


So I tried to find more passwords in DB:

 ... and I found that one exploit from Metasploit (see 'expl0iter' ;)) - worked ;] but it was to late for it.


Next I found file called fileshare.py:
 

So I tried hardcoded password:


Yep. Next thing: checking for sudo:
 

Great, it should be fast:


And... 

That was nice CTF. Big thanks goes to Hadi Meme for preparing this game.
Also big thanks goes to the VulnHub Team for sharing all of those CTFs.

See you next time!

Cheers




Posted by at
Labels: , , , ,

7 komentarzy:

  1. Admin22 kwietnia 2019 03:49

    Hi, do you mind explaining how did you get the password from the post at the beginning? I've tried any combination with bruteforce and cewl and havent managed to login. Thanks :)

    OdpowiedzUsuń
    Odpowiedzi
    1. code1623 kwietnia 2019 00:44

      Hi, first of all thx for watching. The answer/hint is already there. Just read the hints from the VM ;) You will get the idea.

      Usuń
    2. Admin24 kwietnia 2019 05:58

      I have been trying everything for hours, read every piece of text and tried it as username/password. Clearly i'm missing the point. Any chance you could help me a bit more?

      Usuń
  2. brute50528 kwietnia 2019 22:54

    Im still lost on finding the password i thought it had to do with football cause of "Break" but now ive just been hitting my head agains the wall.

    OdpowiedzUsuń
  3. code1629 kwietnia 2019 02:53

    @Admin @brute505: did you tried to figureout what is the password after you read the hints from Tim's (Joomla) Blog? ;) It's already there ;) Quick solution: check the screen and 1) get the pass or 2) use the 'crunch' tool from Kali to prepare a working wordlist.

    OdpowiedzUsuń
  4. Unknown10 maja 2019 03:10

    Hi there I'm too not able to figure out what is the password for the Tim's Blog. Any more help to find password??

    OdpowiedzUsuń
  5. code1610 maja 2019 11:00

    No. ;)

    OdpowiedzUsuń

Subskrybuj: Komentarze do posta (Atom)