We will start here:
Ok, let's start from one small script I decided to write in bash just to run (gobuster) in loop() with dict's from /usr/share/wordlists from Kali:
Few nasty stats from grep | cut -d and so on... ;)
Eliot said it's not the way... ;S
I decided to use robots.txt file to find some hints:
Interesting content... Checking:
More interesting results ;] (first of all I thought that I should connect all 'dirnames' to one string and this will be base64... ;] anyhow...) now we are here:
Cleaning results:
Preparing a list of URL's to visit:
Checking:
grep for "CHECKING" string:
And we should be here:
Now you see the link. Preparing new URL:
Checking:
More:
Ok, very secure Bank. Should be cool. ;]
Checking login page with Burp:
Response:
Sending request to 'Intruder':
Preparing list of payloads:
Preparing 'responses list' we are waiting for:
Saving request to run it with sqlmap:
Quick results:
More:
Verifying:
So, Charles...
Checking available upload:
Checking results of upload:
Let's summarize:
More details:
Next:
Next:
Preparing Metasploit listener:
Checking:
Small enum:
Looking for suid's:
Interestingly I found that /etc/passwd looks like this:
This reminded me one time when password was 'located' only in passwd file... :) I decided to check it:
So:
Checking:
Nope. :) Checking again from another shell:
It should be fast now:
Last part:
So... Thanks for an interesting CTF! I was surprised to see a bug like this :)
See you next time.
Cheers
Brak komentarzy:
Prześlij komentarz