We will start here:
After quick scan (using enlil.py) I decided to use gobuster against WWW server:
Not much, so I switched to Burp (and the browser):
Ok, there is "something" to send to Burp's Intruder. Enumerating the page:
Fuzzing with Burp:
After a while (with www-enumeration) I decided to go to WebDeveloperTools (F12) to check Debugger tab. Reading the part related to 'authentication':
More (about the 'sessions'):
At this stage I decided to bruteforce all of the username('s passwords using cluster bomb attack):
Not much. Using Sniper again with different wordlist:
Good:
I decided to edit the value and change it to the one I found in JS code (value decoded online):
This is the way how I was able to reach the 'admin-part-of-the-webapp':
More fuzzing in the mean time and you should see the same error with full path disclosured:
Few minutes with Google and you will find the source code at Github:
Verifying the bug:
Looks like it works :) More:
Now:
Let's download and run our generated payload:
Checking with Metasploit:
So far, so good. We got the meterpreter session:
Checking how to root the box:
Grabbing some passwords to use during later attack(s):
We will use this bug to get root access:
Generating new passw(or)d:
Get our new passwdD file:
Checking:
Looks like it's done. :)
I must say that this was very cool CTF :)
Big thanks to the author as well as to VulnHub for sharing all of those games!
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz