Back and attempting another CTF. Stumbled across this CTF which should take around 1.5 hours to complete.
Finding out the IP address, I need to type in netdiscover -r 192.168.56.0/24. I found that the IP address of the Victim Machine is 192.168.56.3.
Next step is find out what ports are open so I can look further into this. I typed in nmap -sV -p- 192.168.56.3 -T4 > nmap.log
I cat nmap.log to see the contents of the results. From the results, I can see that there are 2 ports that are opened. Port 22 and Port 80.
I know that Port 80 is open so I decided to visit the website through Firefox. I launched 192.168.56.3 into a web browser and can see that there is a username and password page.
Viewing the source information didn’t give me anything that I wanted. I need to look deeper into this so I decided to use dirb to see if there were any vulnerabilities within the site.
I typed in dirb http://192.168.56.3 >dirb.txt. After this, I cat dirb.txt to see the results of the scan.
From the results, there are a couple directories that I can have a look at.
I browsed the directory 192.168.56.3/flag. Managed to get the first flag!!
Lets have a look at 192.168.56.3/admin_area
Nothing interesting here, I decided to have a look at the source code to see if there is anything I can use.
By looking at the source code, I was able to see the 2nd flag and also a username and password. Lets put this username and password in the website. This is might be a bit too easy!
After entering the username and password, I was able to get into the website. Now the website has given me an file upload section.
This looks like something I have done before. So I will go ahead and upload a reverse shell php script. Run a netcat lisenter on my Kali machine and execute the php script.
I have configured the script already and have successfully uploaded the script. Once uploaded, I set up a netcat lister by typing in netcat -nvlp 8008. Then executed my script by going to http://192.168.56.3/uploaded_files/php-reverse-shell.php
Awesome! Now that I have connected to a reverse shell lets see what we can find.
Took me a while, but I looked around a lot to see what I could find on the system. Nothing much, but something that was interesting was /var/www/html.
In this section, I can see that there are a couple of interesting files. I tried to cat flag.txt however I do not have permission to read the file. However there is another file called hint.txt.
I cat hint.txt and was able to obtain the 3rd flag!! There is also another hint which states that it the password for technawi is hidden.
After countless hours of trying to find the hidden file through different linux commands. I manage to test the command grep -ri flag /etc/.
The highlighted section looks like there are some sort of credentials in a text file. I cat this and was able to retrieve the password!! This took ages as I thought the file was actually hidden. I was researching everything I could about linux hidden file structures. At the end, it wasn’t even hidden. Hidden in a sense it was in different directories..
Lets use the password that we found. I typed in su technawi and it states that I need to have a terminal running
Lets spawn a tty shell with python so I can use su /sudo to elevate the privileges.
Now lets see if we can change the user by typing in su technawi / 3vilH@ksor
Works!! Feeling pretty good!! Lets go back into that directory /var/www/html
GOT IT!! Looks like thats the end of the CTF!!
I’m going to be trying to be trying something more difficult next CTF. Until next time..