Vuln Upload – Writeup

Details

This machine is https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/

Recon Phase

This machine was located on ip 192.168.56.3 so I fired up nmap to do a service detection

root@kali:~# nmap -sV 192.168.56.3
Nmap scan report for 192.168.56.3
Host is up (0.00013s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.86 seconds

Flag Hunting

For this machine the first thing I did was setup dirbuster to look for files

Screenshot 1

The 1st flag is : {8734509128730458630012095}

And waited for it to complete

Screenshot 2

There was an interesting url called /flag, so I navigated to http://192.168.56.3/flag to see what I could find and was presented with

Screenshot 3

As I saw nothing else useful at this point I tried dirbuster again with a different wordlist

Screenshot 4

And once that finishes I can see it paid off

Screenshot 5

The section called admin_area the next place I go to at http://192.168.56.3/admin_area

Screenshot 6

This looks pretty underwhelming, but I checkout the source and find something useful

Screenshot 7

The 2nd flag is : {7412574125871236547895214}

So I now have the second flag, and some creds. First I try these creds for ssh

root@kali:~# ssh admin@192.168.56.3

I try 3v1l_H@ck3r as the password

Permission denied, please try again.

The creds aren't for ssh, so I instead try them on the login page found by dirbuster

Screenshot 8

Now on a page I can upload files to, I decide to test it by uploading a picture

Screenshot 10

A success message popped up, but no indication of where the file ended up, without knowing where it goes, any exploit I upload is useless. I then check dirbuster and see it found a section called /uploaded_files so I try navigating to http://192.168.56.3/uploaded_files/cat.jpg

Screenshot 11

So I know know where the file ends up, I decide to see if I can upload a webshell. So I upload /usr/share/webshells/php/simple-backdoor.php, which comes back as success. I then attempt to access it by navigating to http://192.168.56.3/uploaded_files/simple-backdoor.php

Screenshot 12

This means I have a working webshell, to confirm I try http://192.168.56.3/uploaded_files/simple-backdoor.php?cmd=id

Screenshot 13

This means confirmed webshell, and now I know I am running as www-data, next I want to get a list of users so I go to http://192.168.56.3/uploaded_files/simple-backdoor.php?cmd=cat+/etc/passwd

Screenshot 14

Here I spot a user called technawi, this looks like a good potential takeover target as they have /bin/bash. But I have no way to get them at the moment, so I start exploring the file system going to http://192.168.56.3/uploaded_files/simple-backdoor.php?cmd=ls+../

Screenshot 15

A file called hint.txt instantly catches my attention so I go to http://192.168.56.3/hint.txt

Screenshot 16

The 3rd flag is : {7645110034526579012345670}

So now I have the 3rd flag, and a hint that technawi is my target. For a while I explore various directories with the webshell using ls -la to look for hidden files. But I don't find them, and I eventually decide to look in other ways. Eventually I try using grep to search for all references to technawi. I check various places until eventually I try http://192.168.56.3/uploaded_files/simple-backdoor.php?cmd=grep+-rn+'technawi'+/etc This bit had stumped me for a while as the reference to hidden files confused me into looking for actual hidden files, not files which had been hidden within the filesystem

Screenshot 17

The file called credentials.txt catches my attention and I decided to view it http://192.168.56.3/uploaded_files/simple-backdoor.php?cmd=cat+/etc/mysql/conf.d/credentials.txt which gives me

The 4th flag is : {7845658974123568974185412}
username : technawi
password : 3vilH@ksor

So now I have the 4th flag and some creds, I try these in ssh, using 3vilH@ksor as the password when prompted

root@kali:~# ssh technawi@192.168.56.3
technawi@Jordaninfosec-CTF01:~$

So I have ssh access, time to cat the flag.txt file found earlier

technawi@Jordaninfosec-CTF01:~$ cat /var/www/html/flag.txt
The 5th flag is : {5473215946785213456975249}
Good job :)
You find 5 flags and got their points and finish the first scenario....

And with the 5th flag gained, this machine is done

Leave a Reply

Your email address will not be published. Required fields are marked *