Monday, 6 June 2016

BNE0x02 - Fuku challenge

Hello all,
Today it is the turn for the second BNE0x challenge.
Our tagret has assigned IP, let's run nmap to conduct services enumeration

Result is typical for a lot of CTF.
Web application

So, we can see that the web application uses HDFLV_MOD_DESCR - this may be juicy information for us. But let's examine the web app further.

We know also that the application uses Joomla! 1.5. Let's run dirb

The /administrator/ directory looks interesting... The robots.txt as well.


Now it's time for searching exploits. I have found Joomla 1.5.x Remote Admin Password Change. So, let's try perform exploitation.
BINGO! I have logged in as admin

We should look for feature to upload our reverse shell script.

I found in the Internet how to upload backdoor using Joomla Admin Panel.


Excellent! We have obtained limited shell!
I have found in the /home directory bull subdirectory. This fact indicates that bull is system user.

Very good! We know that chkroot has widely known exploit (CVE: 2014-0476).
I had read instruction form the exploit and I have created update file
chmod a+w /etc/sudoers; chmod a+r /etc/sudoers
We have to wait about 5 minutes and BOOM!
We are able to edit sudores file and add www-data line with ALL privileges like a root.

Game over :-)