wtorek, 13 września 2016

NullByte 1 - CTF

Yesterday I was playing with another CTF from VulnHub. This time I decided to try NullByte 1...

I started from discovering the host (used netdiscover -r range to do that):




After the scan I saw that we have 3 (TCP) ports open here:

80/tcp  open  http    syn-ack Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind syn-ack 2-4 (RPC #100000)
777/tcp open  ssh     syn-ack OpenSSH 6.7p1 Debian 5 (protocol 2.0)


Ok, we will not try rpcbind and ssh for now. Let's try with HTTP:



Cool. Next thing was checking dirs (dirb) to looks for something interesting:



I saw that there is a /phpmyadmin/ directory so I started to think that maybe we should use some PMA vulnerability to get inside the host... Let's try the WWW:


As there was nothing interesting in the source code, I decide to check GIF file included. To review it I used exiftool. I found some weird comment inside the photo:


First of all I thought maybe it is a PMA admin password. It was not... :)

So - I thought - maybe it's a new directory, hidden somewhere on the WWWroot...


Looks like it is :) I was wondering what is the valid key to access next page. I decided to use BurpSuite as a bruteforce tool:


Indeed, we have a valid key now. Checking:




Ok, good. Another form. I tried to put there some injection tests:


Ok, cool. Let's add super-cool-hacking-char (") ;)


This is what I'm looking for. :)


Continue please...


Ok, we got the DB:


Some kind of passwords and some users. Cool. Maybe we will use that later. Next I decided to check if we can access SQL-shell (available in sqlmap when you're using --sql-shell parameter):


Ok, nice. Can we read some files from the target hosts via this SQLi?


Of course. :) Let's find some config.php/install.php or other file where we can find some juicy info...



Ok, password for the root user! Great! Maybe we can use it now:


Not yet. :) Next - check what else is inside the DB. We can find more users there:


Great, let's check the password for phpmyadmin user:


Cool! When I saw this I new that there is a way to upload shell via phpmyadmin... but unfortunately I wasn't able to do that (via phpmyadmin user), so I decide to grab sqlmap again, and get more DB-data. And that's how I found that the root user has the same password as phpmyadmin user. Let's check if we can log in as root now:


Sure we can. :) Now I started to thing about raptor_udf exploits or maybe some webshell uploading... I started with some simple test:


Hm... Am I right? :)


Looks like we're in :)

Yes, you're right. It's time for reverse shell!


Quick review of the files located on the WWW:


Ok, cool. But let's switch to python's pty:

Ok, more:


So now I was thinking about running raptor_udf sploit. You can find it on google:

After a while I new that this was not a good idea (mysql is not running 'properly' to run this exploit):


I decided to go back to the database again, and check what else is there. I new that there is a userlist with some passwords. I grabbed the first user (ramses) and I tried to google his password:

Some results below:

Cool! Trying...

Inside the /backups/ directory I find interesting file:

As you can see, I was wondering if this is just a script to run ps command or not. I decided to check it like this:


Ok, preparing... 
 Ok, seems like we've got euid = 0. To be sure for that:


So, yes. Game over :)


This was a great pleasure to play this CTF. Special thanks goes to the author ly0n.
And as always: thanks again to VulnHub Team for  hosting this game.

See you next time... :)

Cheers!





Brak komentarzy:

Prześlij komentarz