This time I decided to check CTF prepared by Hadi Mene called "Born2Root". Let's find out how to solve it...
We should start here:
Cool, let's find some open ports:
So:
Ok, checking HTTP:
I tried to check all found resources, one by one:
Next I found Joomla:
I was wondering if I should perform some bruteforce attack here or it will be a bug in some plugin/old version... Checking:
So far, so good. We have a version number. More:
And see... The password is already there xD
Checking:
Next step: go to admin's panel and try to upload a webshell:
(If you want, you can try to modify joomlash.py to check it here ;))
Next:
Let's verify:
Ok, looking around:
I decided to get reverse shell (I used the one from PentestMonkey resources):
Now we are here:
I was looking for some SUID files (like last time ;]):
Nope. So next during OS enum I found Joomla config file with password and new username to check:
So I tried to find more passwords in DB:
... and I found that one exploit from Metasploit (see 'expl0iter' ;)) - worked ;] but it was to late for it.
Next I found file called fileshare.py:
So I tried hardcoded password:
Yep. Next thing: checking for sudo:
Great, it should be fast:
And...
That was nice CTF. Big thanks goes to Hadi Meme for preparing this game.
Also big thanks goes to the VulnHub Team for sharing all of those CTFs.
See you next time!
Cheers
Hi, do you mind explaining how did you get the password from the post at the beginning? I've tried any combination with bruteforce and cewl and havent managed to login. Thanks :)
OdpowiedzUsuńHi, first of all thx for watching. The answer/hint is already there. Just read the hints from the VM ;) You will get the idea.
UsuńI have been trying everything for hours, read every piece of text and tried it as username/password. Clearly i'm missing the point. Any chance you could help me a bit more?
UsuńIm still lost on finding the password i thought it had to do with football cause of "Break" but now ive just been hitting my head agains the wall.
OdpowiedzUsuń@Admin @brute505: did you tried to figureout what is the password after you read the hints from Tim's (Joomla) Blog? ;) It's already there ;) Quick solution: check the screen and 1) get the pass or 2) use the 'crunch' tool from Kali to prepare a working wordlist.
OdpowiedzUsuńHi there I'm too not able to figure out what is the password for the Tim's Blog. Any more help to find password??
OdpowiedzUsuńNo. ;)
OdpowiedzUsuń