Tuesday, 16 August 2016

Breach 2 challenege

"Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way."


Good, we can see that there is not NFS for RPC. Let's check SSH.

 Hmmm, blog? Scanning phase did not discover HTTP port. Let's try use password inthesource for peter SSH username.

Excellent! We have opened 80 port! As far as I know, Apache 2.4.10 does not have dedicated public known exploit. So, let's examine the web application (blog)

Ok, source code doesn't contain credentials and anything like that - only hint that web application administrators do not trust user. We know two exploits for BlogPHP CMS - XSS Stored and Remote Privilege Escalation. For me more interesting is the second.
Unfortunately it is not work, so let's try exploit XSS.

Probably we are on the right way.

Good! We have got administrator cookies. I was trying use stolen credentials, but without success... Let's look at Firefox version - 15.0. It is so old.
Let's look for some exploit. BINGO - CVE: 2013-1710!

Great! We have got limited shell! Let's upgrade our limited shell to meterpreter session.

So, good! I have got a shell and run netstat -antp to find what kind of services is running on our victim machine. There is 2323 so I decided to perform remote port forwarding to my 7777 port and

Hmmm, strange... But the numbers indicates Houston City in Texas (USA). Maybe it is a password for milton, peter, bill or blumbergh? Let's try. It works for milton! I run again netstat -antp and there is interesting port 8888, so again - let's perform remote port forwarding!

Good! Let's browse it. BINGO!

OK, let's click on oscommerce link

Very good, dirb found admin panel but there doesn't work credentials which we stole using SQL Injection. But admin:admin works!

Nice! I have found File Manager

So, let's try upload reverse shell. TO do this - we have to find writable directory. BINGO! Work directory is writable - I have uploaded reverse shell script and

Excellent! Now we have to use tcpdump to get root shell. I found great article about it.
I followed step by step and I have obtained reverse ROOT shell.

Unfortunately /root/flag.txt file does not exist so, let's locate flag file.

Game over!

This challnege was extremely amazing!