Sunday, 12 June 2016

CTF6 challenge

As you see I decided return to LAMP Security series. So, now it is the time for CTF6.

There are a lot of open ports: 22 (ssh), 80 (web),  111 (RPC), 443 (web), 635 (RPC), 3306 (MySQL).
For me interesting is why the server has open 80 and 443 ports both. Let's browse the web application and display source code

Hmm, these users may exist as system user our target, who hnow?
The Home Page

Good, we know also that exist admin user, the application serve also webmail. The web application probably also is associated with Liquid CMS, but we don't know which version.
I have clicked on the link Read more and I have got
I have verified that id parameter is vulnerable to SQL Injection. But let's still penetrate the web app.
I was trying SQL Injection in the login panel in the URL
but without success, so let's come back to our SQLi in the id parameter.

Good, going deeper we have found

Excellent! Let's log in as admin to CMS.

Good, I have uploaded the test.php file with phpinfo() function to conduct Proof of Concept and

Executing the test.php file we have got good news for us

So, we are pretty sure that we are able to upload PHP backdoor let;s do that
Excellent! We have obtain limited shell.
PS. We could also get limited shell via phpmyadmin (credentials which has been retrieved using SQLi are root:mysqlpass).
uname -a
gives us juicy information about for example linux kernel version. I have found an exploit on it and

Game over!