Friday, 17 June 2016

CTF7 challenge

Scanning phase


As in the above picture we can see that our target serves us 22 (SSH), 80 (Web application), 139 (Samba), 901 (Samba as well), 8080 (Web app or http proxy) and 10000 (Webmin).
Apache 2.2.15 doesn't have associated known exploit.
Let's browse the web apps.

Nothing special. In a source code there is also comments which are useless for us right now. Let's run DirBuster

Ow, there are a lot (too lot) of files and directories. Maybe let's jump to port 8080.

Great, it looks friendly, so let's try use SQL inection attack.... and.... BINGO! We have obtained access to admin account.

Nice! But I didn't find an opportunity to upload reverse shell backdoor. So let's run again DirBuster

Also nothing gaudy for our eyes. But I have found in the Reading Room following form with possibility of uploading some file

I am pretty sure that we should obtain reverse shell using the form but let's examine other ports.

I have browsed port 10000 (webmin) and I was trying login using default credentials but without success. I am blocked because too many invalid credentisl... grr......
So, let's use sqlmap against the vulnerbale admin form to SQLi. Wow, without success... I don't know what the hell is going on. I create my accout in the Mad Irish Hacking Academy and I clicked on my profile.

I submit this form and I have got following URL
Maybe id parameter is vulnerable to SQLi? BINGO! (I verified this using AND statement).

Let's go deeper into these databases.
Unfortunately I have got for all databases the same response - Forbidden.
Probably SQL Injection does not give us opportunity to steal credentials

So, I have no other ideas. Let's come back to our 8080 port and let's try upload our PHP backdoor
We know that this web application has assets directory and probably there is our shell.php

Execute the shell.php file gives us....

Excellent! We able to login to mysql without password as root!

Amazing! There are probably md5 hashed passwords. Let's penetrate deeper

What a surprise!  But I decided to crack passwords from users table firstly and I have got
Great! Now, I am wondering about trying login as each of them and check what kind of privileges have each of them.

Game over!