Friday 13 January 2017

HackDay Albania 2016

Hello,

Description
This was used in HackDay Albania's 2016 CTF.

Scanning phase
Our nmap scanning show us, that our target has assigned 192.168.56.101 address.

So, looking at the host deeper, we can see that there are couple open ports.








Good, let's begin our penetration test from 8008 port.














Nice picture. Let's look at robots.txt file
Disallow: /rkfpuzrahngvat/
Disallow: /slgqvasbiohwbu/
Disallow: /tmhrwbtcjpixcv/
Disallow: /vojtydvelrkzex/
Disallow: /wpkuzewfmslafy/
Disallow: /xqlvafxgntmbgz/
Disallow: /yrmwbgyhouncha/
Disallow: /zsnxchzipvodib/
Disallow: /atoydiajqwpejc/
Disallow: /bupzejbkrxqfkd/
Disallow: /cvqafkclsyrgle/
Disallow: /unisxcudkqjydw/
Disallow: /dwrbgldmtzshmf/
Disallow: /exschmenuating/
Disallow: /fytdinfovbujoh/
Disallow: /gzuejogpwcvkpi/
Disallow: /havfkphqxdwlqj/
Disallow: /ibwglqiryexmrk/
Disallow: /jcxhmrjszfynsl/
Disallow: /kdyinsktagzotm/
Disallow: /lezjotlubhapun/
Disallow: /mfakpumvcibqvo/
Disallow: /ngblqvnwdjcrwp/
Disallow: /ohcmrwoxekdsxq/
Disallow: /pidnsxpyfletyr/
Disallow: /qjeotyqzgmfuzs/
Good, let's add this path to some kind of dictionary and run Dirbuster.













Hmmm, /unisxcudkqjydw/ has smaller size of response than other. So, let's look at this path deeper.









OK, let's examine /vulnbank/











Great! Clicking on client/ directory











Excellent! But we don't know valid credentials. Unfortunately default credentials doesn't work... Let's try SQL Injection technique.










And indeed, very interesting, isn't it? Trying admin' || 1=1 # and password abcd, we are logged in!









Excellent, we are able to upload some file using Browse button.
I tried upload *.php file, but I have got message that the application allows only picture extensions such as *.jpeg, *.jpg, etc...
So, let's change extension of our PHP reverse shell from *.php to *.jpg.










Using python3.5 -c "import pty;pty.spawn('/bin/bash')" we can spawn shell.
Looking at config.php we can find












Unfortunately databases don't have useful passwords for us.
Looking at /etc/passwd, we can see useful information
-rw-r--rw- 1 root root 1623 Oct 22 17:21 /etc/passwd
Good, we are able to edit passwd file. So, we are able to add certain user with known password with root privileges.