Friday, 17 June 2016

CTF7 challenge

Hello,
Scanning phase













 













As in the above picture we can see that our target serves us 22 (SSH), 80 (Web application), 139 (Samba), 901 (Samba as well), 8080 (Web app or http proxy) and 10000 (Webmin).
Apache 2.2.15 doesn't have associated known exploit.
Let's browse the web apps.




















Nothing special. In a source code there is also comments which are useless for us right now. Let's run DirBuster
























Ow, there are a lot (too lot) of files and directories. Maybe let's jump to port 8080.











Great, it looks friendly, so let's try use SQL inection attack.... and.... BINGO! We have obtained access to admin account.





















Nice! But I didn't find an opportunity to upload reverse shell backdoor. So let's run again DirBuster











Also nothing gaudy for our eyes. But I have found in the Reading Room following form with possibility of uploading some file


























I am pretty sure that we should obtain reverse shell using the form but let's examine other ports.

I have browsed port 10000 (webmin) and I was trying login using default credentials but without success. I am blocked because too many invalid credentisl... grr......
So, let's use sqlmap against the vulnerbale admin form to SQLi. Wow, without success... I don't know what the hell is going on. I create my accout in the Mad Irish Hacking Academy and I clicked on my profile.


























I submit this form and I have got following URL
http://192.168.56.102/profile&id=115
Maybe id parameter is vulnerable to SQLi? BINGO! (I verified this using AND statement).







Let's go deeper into these databases.
Unfortunately I have got for all databases the same response - Forbidden.
Probably SQL Injection does not give us opportunity to steal credentials

So, I have no other ideas. Let's come back to our 8080 port and let's try upload our PHP backdoor
We know that this web application has assets directory and probably there is our shell.php

















Execute the shell.php file gives us....








Excellent! We able to login to mysql without password as root!

























Amazing! There are probably md5 hashed passwords. Let's penetrate deeper












What a surprise!  But I decided to crack passwords from users table firstly and I have got
brian:my2cents
john:transformersrule
alice:
turtles77
ruby:
test
leon:
qwer1234
julia:
madrid
michael:
somepassword
bruce:
LosAngelesLakers
neil:
Jets4Ever
charles:
chuck33
Great! Now, I am wondering about trying login as each of them and check what kind of privileges have each of them.



























Game over!