My first boot2root beginners challenge taken from here: JIS-CTF: VulnUpload from vulnhub.com.
First we start with a nmap scan:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# Nmap 7.60 scan initiated Sat Mar 10 13:13:04 2018 as: nmap -sV -sC -oN jordan.txt 192.X.X.X Nmap scan report for Jordaninfosec-CTF01.fritz.box (192.X.X.X) Host is up (0.00015s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA) | 256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA) |_ 256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 8 disallowed entries | / /backup /admin /admin_area /r00t /uploads |_/uploaded_files /flag |_http-server-header: Apache/2.4.18 (Ubuntu) | http-title: Sign-Up/Login Form |_Requested resource was login.php MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Mar 10 13:13:11 2018 -- 1 IP address (1 host up) scanned in 7.18 seconds |
Flag 1
The nmap scan already reveals a lot of information. The first flag can be found under the url http://[jordan vm]/flag:
The 1st flag is : {8734509128730458630012095}
Flag 2
Under the url http://[jordan vm]/admin_area the second flag is hidden in the source code together with the credentials for the main login page:
username : admin
password : 3v1l_H@ck3r
The 2nd flag is : {7412574125871236547895214}
Flag 3
Behind the login is a file upload page which doesn’t check the uploaded content (just the size). I’ve uploaded a weevely php shell a gained access to the vm as user www-data.
In the /var/www/html directory are another interesting files: hint.txt and flag.txt. The latter one isn’t readable for our current user but the first one is:
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)
The 3rd flag is : {7645110034526579012345670}
Flag 4
This one took me quite a while. I didn’t found the file and dunno if it was misleading that it wasn’t a hidden file in terms of linux. After a lot of searching I used a simple grep -ri flag /etc/ which reveals the file /etc/mysql/conf.d/credentials.txt:
The 4th flag is : {7845658974123568974185412}
username : technawi
password : 3vilH@ksor
Flag 5
With the above credentials we can log into the box via ssh and user technawi and read the flag.txt in the /var/www/html directory:
The 5th flag is : {5473215946785213456975249}
Good job :)
You find 5 flags and got their points and finish the first scenario....
And as a side note, the hidden file .sudo_as_admin_successful in the home directory of technawi reveals, that the user technawi can sudo to root.
That’s all folks. Since this is my first ctf boot2root challenge, is it okay that I list the flags here? If not please comment and I’ll remove them. Thanks.