Tuesday, 12 July 2016

Kvasir:I challenge

As part of the challenge, Kvasir utilises LXC to provide kernel isolation. When the host VM boots, it takes can take a little bit of time before the containers become available.  It is therefore advised to wait 30-60 seconds after the login prompt is presented, before attacking the VM.  A few other pointers:    
Not every LXC is ‘rootable’  
No SSH brute-forcing is required

Scanning all ports with aggressive mode
80/tcp open  http    Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
Ow, not complex. Apache 2.2.22 does not contain critical vulnerability, so let's examine the web application.

Dirb found following paths
---- Scanning URL: ----
+ (CODE:302|SIZE:365)                                                                                                                         
+ (CODE:403|SIZE:290)                                                                                                                          
+ (CODE:200|SIZE:464)                                                                                                                         
+ (CODE:403|SIZE:295) 
I looked at the login form deeper and I think it contains Blind SQL Injection vulnerability, because when I use credentials such as test:test I have gor response "Login Failed", but when I use SQL syntax with OR I have got response "Forbidden". Unfortunately I can't exploit it/
We can find in the result of Dirb admin.php file. So, let's try open the file.
We are redirecting to the index.php file. Hmm let's try change 302 from reponse to 200.

Great! We have got following result

Wow! We did that. Do you think also about Remote Command Execution? Let's try hit apache2; ls -la

Excellent! We can do that! I have uploaded PHP backdoor using nc.