CTF: VulnNet
In this CTF we’ll be taking advantage of Linux, PHP misconfigurations, and LFI. To start off, I'm going to run an NMAP scan followed by a directory scan. We know from the start that there will be a web server so we'll dive right in and see what we can dig up.?
The NMAP scan discovered port 22 and 80 open. The directory scan displayed nothing out of the ordinary, an /img, /js/ and /css directories.?
I opened the site in a browser and looked at the page source. At the end of the source there are two JS scripts. I looked at them individually in the /js directory and one of the scripts displays a subdomain. In the other JS script, we find a referrer link, we will investigate both.?
Ok, so it looks like we can take advantage of local file inclusion to try and enumerate users so later I can try to bruteforce the html login. Running "curl curl https://vulnnet.thm/index.php?referer=/etc/passwd" lets us know indeed LFI works, but it did not reveal any usernames. We know there is an Apache server, so we can search for the config file to further enumerate. I'm not exactly sure which directory I should be looking in, so I searched google for the information and tried several different paths. This was a bit of a time sink, but I found a tutorial on the DigitalOcean website about setting up Apache virtual hosts and that the config file is stored in "/etc/apache2/sites-enabled/000-default.conf". Even though this took forever, but this is how you learn so I added this information to my notes and soldiered on.?
It looks like we have an AuthUserFile to investigate.?
We receive a login and password hash which we'll crack.?
Cracking the hash with John reveals a password.?
Going to broadcast.vulnnet.thm and logging in with the credentials brings us to a ClipBucket page. I will create an account and go on from there.?
I created an account, but couldn’t find any exploitable surfaces from that angle, so I went to exploit DB to see if there were any vulnerabilities for ClipBucket v4.0. There are some serous vulnerabilities, "ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection" and we will take advantage of the file upload and upload a reverse shell. *credit to www.sec-consult.com.?
领英推荐
After uploading the .php file we will navigate to the directory and file specified and trigger the shell via netcat.?
I tried to access the server-management directory but did not have permission. So, I searched for files and folders that may be accessible/writeable and discovered this ssh backup file. I started a server and downloaded that file to my attack machine to authenticate via ssh.
I tried to login with the id_rsa via ssh, but it revealed that a password for the key is required. I then used ssh2john and john to find the keys password.?
I then logged in via SSH and searched the users home directory revealing the contents of the user flag.
I uploaded linpeas to the /tmp folder to do a quick scan of possible vulnerabilities and the only thing that looked interesting was a cronjob for a backup file. ?
We do not have permission to write to the file, so we have to find another way. I spent some time googling it and utilized a previous walkthrough and GTFObins to help me break this barrier. *credit to Aldeid and GTFObins.?
We will set up a netcat listener and a reverse shell that will be executed with privilege when the cronjob is triggered.?
After the shell is triggered, we receive root privileges and can capture the root flag.?
Technical Writer and Business Analyst at SecuriGence | Security+ Certified
2 年Awesome write up! This is a little beyond my current skillset but I’m motivated to continue learning and can’t wait to tackle similar CTFs soon.