niedziela, 10 marca 2019

MinU:1 CTF

This time I tried MinU:1 CTF from VulnHub resources, prepared by 8bitsec. Below you will find the details...
We will start here:


After quick portscan we can see that there is only HTTP (80/tcp) port open. I performed some basic scan (using webuster.sh mentioned before):


Not much... Checking again with 'extensions' switch:


Run with nikto and dirb again:


Something was wrong, so I decided to switch to curl and check it one more time:


So using additional 'header' revealed new content :)


I decided to check that 'last visitor':

First of all I thought it will be some LFI/RFI. It was not. ;] So I decided to run it again with Burp's Intruder. This is what I found:


Great! So RCE!
Looks like 'not yet'. After a while with Burp Repeater:

 ... (and after I realized that few commands as well as few characters (like ' " and so on) are blocked or filtered 'by server') I decided to replace ls command to dir - it worked:


So now the case was to obtain a shell on remote host and bypass restrictions related to 'filtering'. After I tried few more examples of 'how to run binary withouth /bin/bash' ;)

I found this great page (when I found solution to my case):


So now we are here:


I started checking files to look for method to escalate to uid=0:


After a while I found that there is a ._pw_ file in bob's directory. Tried to decode base64:


Ok, so we need to read more about JWT tokens (and how to crack them) ;)

Checking:


So now we are here: comparing tools:
- using jwt-cracker I wasn't able to crack it during 2 days :)
- using c-jwt-crack I was able to crack it in ~12min :)



Checking:


Finally. :)

Now we can try to use our secret value. Let's try it for found user:


Unfortunately there was no option to run su (or sudo -S) from our 'shell'. That's how I found this page:


Let's try:


Checking:


Looks like we can use the script but there is still something wrong with the password...

I decided to modify my script once again:


New results ;> "almost there" but why our script is dropping (root)shell? :S

Again: I changed password for my user on Kali to check it:


Checking:

No. So again:

Dropping shell ;[

So I started with:
$ for i in `seq 1 50` ; do <our echo command with passwd> ; done

Below few results: I started to read about IFS and other possible ways of avoiding space character ;]


 So far so good:


Checking:

Still nope (difference for the same command on 2 Linux machines):


Again, but this time:
- we will have only one shot/command when rootshell will be launched
- let's prepare small bash script in /tmp to run as our 'one-shot-command'

So (running with our for() loop again) we should be here:

Last part:


I must say that it was very cool CTF :)

Big thanks goes to 8bitsec for preparing MinU:1. 
Also big thanks goes to VulnHub for sharing all of those games.

See you next time.

Cheers




Brak komentarzy:

Prześlij komentarz