piątek, 17 stycznia 2020

Prime1 CTF

Below you will find some notes about Prime:1 CTF from VulnHub prepared by Suraj Pandey. Here we go...
Today we will start here:


When my VM was ready I started from normal portscan using nmap.


Not much but we will try anyway ;) Next step was to check WWW:

Logo looks familiar ;)

So I switched to the console windows to run gobuster:

As you can see (read as: "always remember to") I scanned both: directories and extensions. This can be very importand during enumeration. To be honest I remember few CTFs when I lost few hours for enumerating dirs... and not enumerating files/extensions ;)

So now we should be somewhere here:


Few words from the author... ;) Next webpage in your results from gobuster will be a link to Wordpress cms. I decided it will be cool to check few default passwords in found panel... let's try something obvious ;) Login - admin - right?


Hm... as far as I remember (unpathed) Wordpress will tell me that the 'password is wrong' for admin user. Not the 'admin' user! So - trying harder again - I was wondering where is the username I'm looking for.


So at this stage I continued trying harder (by more enumeration;)).

And this is what I found:



;D

Yeah, I know... So - as we already got the username (victor) - you can see that there is a bonus hint to check: 'Guest Session' ;) I decided to start my journey again - this time from guest-user level entry:



So here we go again... ;)

Hi, this time I will try to solve Prime:1 CTF from VulnHub...We will start somewhere here:


Ok, cool. We can not see anything inside /home or /root directory. Next thing I tried (during the hours I lost some time again) was to grab LinEnum script and run it as my guest-user:


Unfortunately not much. So at this stage I was looking for anything I can use to escalate privs.


Cool, nice. But I saw this file after VM was rooted ;) So let's skip it for now and go directly to this one:


This is more interesting, isn't it? ;)

Checking:


It's pretty (still;)) the same - we have a low-level-user shell access. This time via Metasploit.

Reading the OS-files you'll see that there is an interesting account in passwd file:


Checking:


Ok, cool. Let's try to use it now:


Nope for saket user. Next one is:


And we should be somewhere here, editing our favourite part of the Wordpress - themes:


As you will see we can not edit all the files... I decided to use a secret one. Next step is (to save the file) and visit our reverse shell:


Ok, looks like we can do a little bit more now:


Next step?


It's time for a last stage of ... verification:


I believe this box can be done in few different ways but I will leave it to you as an exercise. ;)

See you next time!

Cheers





Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)