Hey Readers,
So here i'm up with another CTF i've recently solved. It was kinda tricky (unexpectedly). But after irritating seniors with my problems related to it, i finally managed to solve it all :P .
Download > https://www.vulnhub.com/entry/hackday-albania,167/
So first thing first .. determining the target. I scanned network for live devices. (Our target was with IP "192.168.0.107").
Alright i did some intense scan on our target. Scanned for port range 0-10000. and finally ended up with 2 open ports 8008(apache server) and 22 (SSH). Also i got some directories.
$ sudo nmap -T4 -A -v -p 0-10000 192.168.0.107
Dirs i got :
/rkfpuzrahngvat/
/slgqvasbiohwbu/
/tmhrwbtcjpixcv/
/vojtydvelrkzex/
/wpkuzewfmslafy/
/xqlvafxgntmbgz/
/yrmwbgyhouncha/
/zsnxchzipvodib/
/atoydiajqwpejc/
/bupzejbkrxqfkd/
/cvqafkclsyrgle/
/unisxcudkqjydw/
/dwrbgldmtzshmf/
/exschmenuating/
/fytdinfovbujoh/
/gzuejogpwcvkpi/
/havfkphqxdwlqj/
/ibwglqiryexmrk/
/jcxhmrjszfynsl/
/kdyinsktagzotm/
/lezjotlubhapun/
/mfakpumvcibqvo/
/ngblqvnwdjcrwp/
/ohcmrwoxekdsxq/
/pidnsxpyfletyr/
/qjeotyqzgmfuzs/
I then opened link "192.168.0.107:8008" on which apache was running and got prompted with a message box "Ne qofte se jam UNE, e di se ku te shkoj " > Translated > "If I am, I know where to go".
I started visiting each dir and ended with a meme :/
But there i found a directory named "unisxcudkqjydw" which had a bit differ page asking me to redirect on page "/unisxcudkqjydw/vulnbank/" with message "IS there any /vulnbank/ in there ???". I visited that link and got a login page of some "Vuln Bank".
I tried some random combinations for auth bypass but unfortunately non of em worked, except one
Username : " '
Password : " '
Got prompted with an SQL Error. I thought it was my lucky shot :P and tried sqlmap and various other SQLi tools, but result was negative :/
Finally i downloaded a list for username and password and ran it over hydra. LOL my fate really worked (I dont use hydra and hate BruteForce attacks :/ :P)
I got a working combination
Username : ' or 'a' = 'a' --
Password : #
Okay!! so i was finally seeing some hope to solve it :).
Tried uploading php files directly, but that didn't worked. I immediately generated php backdoor via msfvenom and renamed it with extension ".php.jpg". Opened handler and executed the payload by visiting the link where it was saved to.
Then i just gained the bash shell with command :
$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
I then checked all files and directory carefully if i could find some hint, but everything was useless. I thought config.php would work. I opened it and got user and pass to mysql with root credentials, thought it could be same credentials for root user login too, but result was negative.
After getting literally cooked up :P i checked for writable dirs on machine with command :
$ find / -writable -type f 2>/dev/null
LOL i noticed /etc/passwd was writable :P Bingo !! there i strikes with an idea ... "what if i manually add another user in passwd file ?" (Reference which helped me).
I then generated a hash password using openssl.
Useraname : dope
Passoword : dope
Now i just got back to meterpreter. Opened and edited /etc/passwd with option "edit". Added new user at bottom, and saved the file.
dope:$1$MamNpKxX$/zIJhc75C0O9zRrTxxGYB/:0:0:test:/root:/bin/bash
Edited /etc/passwd just look like :
Here i started having intention for getting escalated to root privilege soon.
And finally, I ran command " su ", entered password for user i just made, And Boom !! It worked :P finally i captured the flag :D
$ su dope
$ id
$ cd /root && cat flag.txt
Special Thnaks to : VulnHub :) <3
Follow me on twitter : https://twitter.com/Indi_g34r
So here i'm up with another CTF i've recently solved. It was kinda tricky (unexpectedly). But after irritating seniors with my problems related to it, i finally managed to solve it all :P .
Download > https://www.vulnhub.com/entry/hackday-albania,167/
So first thing first .. determining the target. I scanned network for live devices. (Our target was with IP "192.168.0.107").
Alright i did some intense scan on our target. Scanned for port range 0-10000. and finally ended up with 2 open ports 8008(apache server) and 22 (SSH). Also i got some directories.
$ sudo nmap -T4 -A -v -p 0-10000 192.168.0.107
Dirs i got :
/rkfpuzrahngvat/
/slgqvasbiohwbu/
/tmhrwbtcjpixcv/
/vojtydvelrkzex/
/wpkuzewfmslafy/
/xqlvafxgntmbgz/
/yrmwbgyhouncha/
/zsnxchzipvodib/
/atoydiajqwpejc/
/bupzejbkrxqfkd/
/cvqafkclsyrgle/
/unisxcudkqjydw/
/dwrbgldmtzshmf/
/exschmenuating/
/fytdinfovbujoh/
/gzuejogpwcvkpi/
/havfkphqxdwlqj/
/ibwglqiryexmrk/
/jcxhmrjszfynsl/
/kdyinsktagzotm/
/lezjotlubhapun/
/mfakpumvcibqvo/
/ngblqvnwdjcrwp/
/ohcmrwoxekdsxq/
/pidnsxpyfletyr/
/qjeotyqzgmfuzs/
I then opened link "192.168.0.107:8008" on which apache was running and got prompted with a message box "Ne qofte se jam UNE, e di se ku te shkoj " > Translated > "If I am, I know where to go".
I started visiting each dir and ended with a meme :/
But there i found a directory named "unisxcudkqjydw" which had a bit differ page asking me to redirect on page "/unisxcudkqjydw/vulnbank/" with message "IS there any /vulnbank/ in there ???". I visited that link and got a login page of some "Vuln Bank".
I tried some random combinations for auth bypass but unfortunately non of em worked, except one
Username : " '
Password : " '
Got prompted with an SQL Error. I thought it was my lucky shot :P and tried sqlmap and various other SQLi tools, but result was negative :/
Finally i downloaded a list for username and password and ran it over hydra. LOL my fate really worked (I dont use hydra and hate BruteForce attacks :/ :P)
I got a working combination
Username : ' or 'a' = 'a' --
Password : #
Okay!! so i was finally seeing some hope to solve it :).
Tried uploading php files directly, but that didn't worked. I immediately generated php backdoor via msfvenom and renamed it with extension ".php.jpg". Opened handler and executed the payload by visiting the link where it was saved to.
Then i just gained the bash shell with command :
$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'
I then checked all files and directory carefully if i could find some hint, but everything was useless. I thought config.php would work. I opened it and got user and pass to mysql with root credentials, thought it could be same credentials for root user login too, but result was negative.
After getting literally cooked up :P i checked for writable dirs on machine with command :
$ find / -writable -type f 2>/dev/null
LOL i noticed /etc/passwd was writable :P Bingo !! there i strikes with an idea ... "what if i manually add another user in passwd file ?" (Reference which helped me).
I then generated a hash password using openssl.
Useraname : dope
Passoword : dope
Now i just got back to meterpreter. Opened and edited /etc/passwd with option "edit". Added new user at bottom, and saved the file.
dope:$1$MamNpKxX$/zIJhc75C0O9zRrTxxGYB/:0:0:test:/root:/bin/bash
Edited /etc/passwd just look like :
Here i started having intention for getting escalated to root privilege soon.
And finally, I ran command " su ", entered password for user i just made, And Boom !! It worked :P finally i captured the flag :D
$ su dope
$ id
$ cd /root && cat flag.txt
Special Thnaks to : VulnHub :) <3
Follow me on twitter : https://twitter.com/Indi_g34r
So I didn't use meterpreter... and I got hung.. I ended up doing this:
ReplyDeleteecho "ZG9wZTokMSRNYW1OcEt4WCQveklKaGM3NUMwTzl6UnJUeHhHWUIvOjA6MDp0ZXN0Oi9yb290Oi9iaW4vYmFzaA==" | base64 -d >> /etc/passwd