wtorek, 20 sierpnia 2019

Bulldog2 CTF

This time I decided to check Bulldog:2 CTF from VulnHub prepared by Nick Frichette. Below you will find the details. Here we go...
We will start here:


After quick scan (using enlil.py) I decided to use gobuster against WWW server:


Not much, so I switched to Burp (and the browser):


Ok, there is "something" to send to Burp's Intruder. Enumerating the page:

 So far, so good. We got few users to check:


Fuzzing with Burp:
Ok, now we have a few more details about the user(s):


After a while (with www-enumeration) I decided to go to WebDeveloperTools (F12) to check Debugger tab. Reading the part related to 'authentication':


More (about the 'sessions'):


At this stage I decided to bruteforce all of the username('s passwords using cluster bomb attack):


Not much. Using Sniper again with different wordlist:


Good:


I decided to edit the value and change it to the one I found in JS code (value decoded online):


This is the way how I was able to reach the 'admin-part-of-the-webapp':


More fuzzing in the mean time and you should see the same error with full path disclosured:


Few minutes with Google and you will find the source code at Github:


Verifying the bug:

Looks like it works :) More:


Now:


Let's download and run our generated payload:


Checking with Metasploit:


So far, so good. We got the meterpreter session:


Checking how to root the box:


Grabbing some passwords to use during later attack(s):

Still not much... :) I decided to download LinEnum.sh script:



We will use this bug to get root access:


Generating new passw(or)d:


Get our new passwdD file:


Checking:


Looks like it's done. :)


I must say that this was very cool CTF :)

Big thanks to the author as well as to VulnHub for sharing all of those games!



See you next time!

Cheers



Brak komentarzy:

Prześlij komentarz