poniedziałek, 25 marca 2019

RootThis CTF

Next CTF I tried was RootThis CTF from VulnHub prepared by Fred Wemeijer. Below you will find few details from the journey...
I started from the scan of the target box. There was only 1 (tcp) port open so I started to dig a bit...


First things first: so little ('directory') enumeration:


As you can see there was interesting resource called 'backup'.  I downloaded it and renamed to zip-file. Next thing I tried to do is of course unzip the backup-zip-file. ;]

So now we should be somewhere here:


(Just like few times before) to check the "password strength" ;) I used fcrackzip, like this:


Let's try:

Inside extracted file we will find a dump from DB. Cool. Checking - maybe we'll find some password(s):


More:


Let's say we have those two to try:


Checking:



I wasn't sure why it took so long... So I restarted the session (of john, this time also using correct parameters ;]) So:




Yep. 
So what's now?

I was wondering if I'll be able to prepare some similar attack like during all of those cases when you already "got admin's password" - like for Joomla or Wordpress ...  but how to do similar case in Drupal? I decided to create my own 'module' and upload it as our 'admin' user - webman:


Ready to go:

If you would like to get some more details about building your own module I will suggest you reading this page[1, 2]. (By the way, I saw that there is also some interesting module but we will create our own anyway ;))

Let's start here: create new directory (mine is sample_module2). Inside we will create 3 files:

- form_example.info:


- form.example.module:




- form_example.module:



Now we should be ready to 'pack' it and move to our wwwroot, like this:




We can upload our new module directly via Drupal's admin panel but I used other way: poiting to a link to download 'new module':


"Install new module:"


"Install":
 Should be ready:


Enable and save configuration if needed:


Our new form is ready to use:

Checking:


Looks like we need something more:


As you remember, we placed our 'evil code' in event when your price is 'not good', so we must 'run' it:



Cool. Now we'll need to obtain an 'interactive shell'. Let's do that.

My next step was to use venome.sh to prepare a PHP reverse shell. I copied it to my webroot again to download it via our new webshell:

Now we will need to:
- download it
- move to drupal's directory (as php file)
- prepare Metasploit handler
- visit our file via browser


Remember to 'click here':

Our file is ready, checking:




Let's visit our new page:


Great!

Next:


Searching:


Ok, so next idea was to get 300 pwds from rockyou.txt on my Kali, prepare a script to use in that pseudo-interactive-bash...

Preparing:



Checking if it will work on Kali:


So far so good. I copied both files (superbf.sh and part of rockyou.txt) to target VM. Now we are ready to run it:


...and after a while...


You should see the result of your command:


I decided to change superbf.sh script and replace whoami command to 'chown www-data:www-data -R /root' ;)

Now we are here:


Thanks for preparing this cool CTF goes to Fred Wemeijer.
Big thanks goes to the VulnHub Team for sharing all of those games.


See you next time!


Cheers


Brak komentarzy:

Prześlij komentarz