Today it is the turn for the second BNE0x challenge.
Our tagret has assigned IP 192.168.56.101, let's run nmap to conduct services enumeration
Result is typical for a lot of CTF.
Web application
So, we can see that the web application uses HDFLV_MOD_DESCR - this may be juicy information for us. But let's examine the web app further.
We know also that the application uses Joomla! 1.5. Let's run dirb
The /administrator/ directory looks interesting... The robots.txt as well.
and
Now it's time for searching exploits. I have found Joomla 1.5.x Remote Admin Password Change. So, let's try perform exploitation.
BINGO! I have logged in as admin
We should look for feature to upload our reverse shell script.
I found in the Internet how to upload backdoor using Joomla Admin Panel.
aaaannnndddd...
Excellent! We have obtained limited shell!
I have found in the /home directory bull subdirectory. This fact indicates that bull is system user.
Very good! We know that chkroot has widely known exploit (CVE: 2014-0476).
I had read instruction form the exploit and I have created update file
chmod a+w /etc/sudoers; chmod a+r /etc/sudoersWe have to wait about 5 minutes and BOOM!
We are able to edit sudores file and add www-data line with ALL privileges like a root.
Game over :-)
