Today I decided to check Symfonos:1 CTF shared by VulnHub. Here we go...
We will start here:
During the scan I tried gobuster against the target host:
Not much. Checking SMB:
Ok that file got my attention. ;] Checking:
So we got (at least) 'few passwords' to check. Cool. Then I tried another open port - 25/tcp:
As you can see using 'unprotected' VRFY command we can enumerate users on remote box. More:
So as you can see I tried helios username also for smbclient:
Hint from attention.txt file was good. ;] Next:
We found some txt files. todo.txt could be one of the file when we can find some hints. My favourite was /helios link. Checking:
Great, Wordpress. Using wpscan to enumerate the page:
More:
And we found some bugs:
Hints from the source (line 4 ;)):
Checking the bug:
Let's try it:
Great, checking apache2 config:
Next I was looking for the way to inject some code and get (reverse?) shell. Checking access.log:
Nope. But then I realised that maybe we (as user helios) can access our email(-file-on-remote-box)?
Checking:
Get emails:
Good, next:
Maybe we can read our new email too:
Great :) I prepared a reverse_shell using metasploit (just like during last CTF):
File is there:
We can proceed:
Cool. :) Let's look around in the target box:
That's how I found some new passwords:
Ok, our session is ready, we can move on:
Looking for interesting (suid) files:
And there is something in /opt/ directory, let's check it:
Reading ELF with strings:
Ok, so maybe if the binary is looking for curl and in the strings's listing we can find system (I assumed that this is a function name ;)), maybe there is a simple way: overwrite the binary in current PATH:
Indeed:)
I must say it was very interesting CTF. :) Big thanks goes to Zayotic for preparing this game!
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz