I’m trying out another beginner friendly CTF. This one is called Simple CTF (I really hope so).
To obtain root on the Victim Machine.
Both my Attacking Machine and Victim Machine is running in parallel via Host only adapter. This creates a separate network which is only connected to the host, thus causing an isolated virtual network. It also means that the VM’s have their own separate network. No external nodes are able to interact with the VM.
To find out what the IP address of the Victim Machine, I typed in netdiscover -r 192.168.56.0/24 (I’m really liking netdiscover, I think I may choose another scanning device next CTF). From the results, I can see that the Victim Machine is on 192.168.56.4
Now I want to see which ports are open so I can see if which attack vectors I can exploit on this machine. To do this, I typed in the command nmap -sC -sV -oA nmap 192.168.56.4. The results of nmap is below.
Interesting points to take into consideration from the results:
I don’t know what this is so I did some research. I also found out that there is a known Vulnerability in which we can perform a remote file upload by intercepting/changing the extension on the uploaded file. This is the attack I will be using, however I will be using this after when I have finished my recon.
1 - Sign up for New User
2 - Log In
3 - Go to Personal options http://www.target.com/cutenews/index.php?mod=main&opt=personal
4 - Select Upload Avatar Example: Evil.jpg
5 - use tamper data & Rename File Evil.jpg to Evil.php
-----------------------------2847913122899rnContent-Disposition: form-data; name="avatar_file"; filename="Evil.php"r
6 - Your Shell : http://127.0.0.1/cutenews/uploads/avatar_Username_FileName.php
I downloaded the exploit and saved it.
I want to see if there are any vulnerabilities within this website. So I will use nikto. I type the command nikto -host 192.1168.56.4. I am using another scanner called dirb which is a web content scanner. I typed in dirb http://192.168.56.4. Both of the results are below. From what I have gathered, dirb has given me much more content to work with.
Information gathered — There are directories that I can browse to:
I have opened up Firefox and entered the IP address which presented a login screen. I have signed up for a new user named cuong with my own password. From here I have clicked on Personal Information, and seems as though I can upload an avatar.
Reviewing the instructions above, I need to upload the payload as an image file. From there, I will need to intercept the request, and change the extention to .php.
I opened the .php file using VIM and changed the IP address and the PORT required, then saved it. The IP address is the Kali machine. In this case, it is 192.168.56.5:6969
Now, I need to rename the file to evil.php to evil.jpg
Now I need to upload the evil.jpg onto the avatar section of the website.
Before I click on OK, I need to Open the Tamper Data section of Firefox, then Start the Tamper. This will then intercept the request.
After I click on OK in the Upload section, Tamper data gives me a request asking me if I want to tamper this data.
I click on Tamper, and it provides me with a section in which I can modify the POST data. It is pretty small here, so I copy the contents of the POST data, and add it to Leafpad. Next, I press ctrl+F to find “evil”. As you can see, it is evil.jpg. I need to change it to evil.php.
I press ctrl+a, and copied the whole lot, and pasted the contents of it back into the Tamper Data POST section, and pressed OK. To confirm if I have uploaded this correctly, I can browse to 192.168.56.4/uploads and can see that it has succesfully uploaded with the correct tampered extention.
To execute the payload, I need to click on on the hyperlink. But first, I need to launch terminal and put in the command netcat -nvlp 6969. What this does is that it tells netcat to listen on any requests on port 6969. 6969 is the port I chose when editing the .php file earlier.
Now that I have set up a listener, I click on the php payload and able receive a request! I now have shell access.
From my experience, I drop the code:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Lets see the ID and what type of server this is
I can see that this is running Ubuntu 14.04.1 with a Kernal 3.16. After researching online, I have found an exploit that I can upload. Firstly I need to download the exploit to /var/www/html.
Once this has been downloaded, I then start apache http server, so I can upload this exploit into my shell. I do this by typing in systemctl start apache2
Once confirmed, I go back into my shell, go to my /tmp folder and download the exploit from my host computer using the IP address of the Kali linux box.
Reviewing the instructions in the source link, it states that I need to compile this exploit by:
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
So I substitute what I could and typed in:
After this has been completed, the instructions led me to type in id, and then run the exploit, so I did.
Looks like it worked!! This was a hard one. Able to get root access, now all I need to do was to locate /root folder and cat the flag.