Monday 6 June 2016

BNE0x02 - Fuku challenge

Hello all,
Today it is the turn for the second BNE0x challenge.
Our tagret has assigned IP 192.168.56.101, let's run nmap to conduct services enumeration










Result is typical for a lot of CTF.
Web application




































So, we can see that the web application uses HDFLV_MOD_DESCR - this may be juicy information for us. But let's examine the web app further.








We know also that the application uses Joomla! 1.5. Let's run dirb



















The /administrator/ directory looks interesting... The robots.txt as well.


















and


















Now it's time for searching exploits. I have found Joomla 1.5.x Remote Admin Password Change. So, let's try perform exploitation.
BINGO! I have logged in as admin














We should look for feature to upload our reverse shell script.



















I found in the Internet how to upload backdoor using Joomla Admin Panel.






aaaannnndddd...











Excellent! We have obtained limited shell!
I have found in the /home directory bull subdirectory. This fact indicates that bull is system user.

Very good! We know that chkroot has widely known exploit (CVE: 2014-0476).
I had read instruction form the exploit and I have created update file
chmod a+w /etc/sudoers; chmod a+r /etc/sudoers
We have to wait about 5 minutes and BOOM!
We are able to edit sudores file and add www-data line with ALL privileges like a root.






Game over :-)