Tuesday, 16 August 2016

Breach 2 challenege

"Second in a multi-part series, Breach 2.0 is a boot2root/CTF challenge which attempts to showcase a real-world scenario, with plenty of twists and trolls along the way."


Good, we can see that there is not NFS for RPC. Let's check SSH.

 Hmmm, blog? Scanning phase did not discover HTTP port. Let's try use password inthesource for peter SSH username.

Excellent! We have opened 80 port! As far as I know, Apache 2.4.10 does not have dedicated public known exploit. So, let's examine the web application (blog)

Ok, source code doesn't contain credentials and anything like that - only hint that web application administrators do not trust user. We know two exploits for BlogPHP CMS - XSS Stored and Remote Privilege Escalation. For me more interesting is the second.
Unfortunately it is not work, so let's try exploit XSS.

Probably we are on the right way.

Good! We have got administrator cookies. I was trying use stolen credentials, but without success... Let's look at Firefox version - 15.0. It is so old.
Let's look for some exploit. BINGO - CVE: 2013-1710!

Great! We have got limited shell! Let's upgrade our limited shell to meterpreter session.

So, good! I have got a shell and run netstat -antp to find what kind of services is running on our victim machine. There is 2323 so I decided to perform remote port forwarding to my 7777 port and

Hmmm, strange... But the numbers indicates Houston City in Texas (USA). Maybe it is a password for milton, peter, bill or blumbergh? Let's try. It works for milton! I run again netstat -antp and there is interesting port 8888, so again - let's perform remote port forwarding!

Good! Let's browse it. BINGO!

OK, let's click on oscommerce link

Very good, dirb found admin panel but there doesn't work credentials which we stole using SQL Injection. But admin:admin works!

Nice! I have found File Manager

So, let's try upload reverse shell. TO do this - we have to find writable directory. BINGO! Work directory is writable - I have uploaded reverse shell script and

Excellent! Now we have to use tcpdump to get root shell. I found great article about it.
I followed step by step and I have obtained reverse ROOT shell.

Unfortunately /root/flag.txt file does not exist so, let's locate flag file.

Game over!

This challnege was extremely amazing!

Thursday, 11 August 2016

Loophole challenge


"We suspect that someone inside Rattus labs is working with known terrorist group. Your mission is to infiltrate into their computer network and obtain encrypted document from one of their servers. Our inside source has told us that the document is saved under the name of Private.doc.enc and is encrypted using OpenSSL encryption utility. Obtain the document and decrypt it to complete the mission."


We can play with Samba server, web application and SSH.

Web application

Hmmm, nothing special. If you click on here link, you will get page which contains several email addresses.
So, I have decided to run Dirb

Good, for me very interesting may be ~root, garbage and info.php files.
Unfortuately we don't have enough privileges to view ~root directory, but garbage file is very attractive for us!

Something like shadow file, isn't it?
Let's try crack it!

Great! So, let's try log in via SSH.

Excellent! So, we have to find Private.doc.enc file and decrypt it!

OK, so let's decrypt it! Maybe in .bash_history will be juicy information for us? Because tskies user encrypted the Private.doc file.

Good, we know command which encrypted Private.doc file.
I decrypted the file and it presents engineers confidential doc :-)

Game over

Wednesday, 10 August 2016

pWnOS v2

The second version (and the latest) of pWnOS challenges.

22/tcp open  ssh     OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 85:d3:2b:01:09:42:7b:20:4e:30:03:6d:d1:8f:95:ff (DSA)
|   2048 30:7a:31:9a:1b:b8:17:e7:15:df:89:92:0e:cd:58:28 (RSA)
|_  256 10:12:64:4b:7d:ff:6a:87:37:26:38:b1:44:9f:cf:5e (ECDSA)
80/tcp open  http    Apache httpd 2.2.17 ((Ubuntu))
|_http-server-header: Apache/2.2.17 (Ubuntu)
|_http-title: Welcome to this Site!
OK, as always let's try from web application.

OK, maybe let's try register us to the web application. DirBuster found also blog directory

Good, in the source code I have discovered that this is Simple PHP Blog 0.4.0  As far as I know, we can find effective exploit.
I have use exploit and I have change credentials for known for me to blog and I have logged in. So, I have uploaded PHP backdoor and execute it from images directory.
When I have got limited shell I found mysql connect PHP file, which contains valid credentials for root database. I have reused these credentials and I have got a root system.

Game over!

Tuesday, 9 August 2016

pWnOS 1

"It's a linux virtual machine intentionally configured with exploitable services to provide you with a path to r00t. :) Currently, the virtual machine NIC is configured in bridged networking, so it will obtain a normal IP address on the network you are connected to. You can easily change this to NAT or Host Only if you desire. A quick ping sweep will show the IP address of the virtual machine."


Good, let's start from 80 HTTP and then 10000 HTTP.
Default web page looks as below

OK, so let's click on Next button.

Hmmm, I don't know what is it, but it is some kind of help page. Let's run DirBuster.

I was trying log in to the phpmyadmin panel using default credentials but without success.
Let's try do something with 10000 http.

I was trying also log in using default credentials - without success as well. We know that Webmin has assigned several known exploits, so let's try use some of it.
BINGO! I have found CVE 2017.

There is now ass lines of /etc/passwd file. Let's try display /etc/shadow file.

Awesome! We can run John the Ripper now! Unfortunately it consumes a lot of time - too lot for me.
I haven't idea, so I decided to perform some research about version of OpenSSH and I saw (unfortunately part of other solution) that it is vulnerable to CVE 2008-0166.

Great! So, we have to find some way to escalate our privileges. I have found effective exlpoit and...

Game over!

Second attack scenario.
We can also get limited shell via Samba. So, we have to read /etc/samba/passdb.tdb and decrypt password for vmware username. After that we will 
be able to crack the password (we will get h4ckm3). So, now we can log in to the //UBUNTUVM/home directory using samba and get from home directory SSH public key.

PwnLab init challenge


"Wellcome to "PwnLab: init", my first Boot2Root virtual machine. Meant to be easy, I hope you enjoy it and maybe learn something. The purpose of this CTF is to get root and read de flag."

So, let's play with it
Nmap scanning phase
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PwnLab Intranet Image Hosting
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          40309/udp  status
|_  100024  1          42225/tcp  status
3306/tcp  open  mysql   MySQL 5.5.47-0+deb8u1
| mysql-info:
|   Protocol: 53
|   Version: .5.47-0+deb8u1
|   Thread ID: 38
|   Capabilities flags: 63487
|   Some Capabilities: Speaks41ProtocolOld, Support41Auth, LongPassword, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, IgnoreSigpipes, InteractiveClient, ODBCClient, SupportsTransactions, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, FoundRows, ConnectWithDatabase, LongColumnFlag
|   Status: Autocommit
|_  Salt: BWnFSNkP0;xm:veu@|p=
42225/tcp open  status  1 (RPC #100024)
As always let's start from web application.
Default Web page looks like a some kind of administrator panel.

We must be logged in if we want to upload some file. Let's try do something with page parameter.

Great! So, le'ts try read something like a config.php file.

Excellent! We have retrieved MySQL credentials! Let's verify it.

Great! We have got three credentials - probably for our web application.
These passwords looks like base64 encoded string.
Valid credentials:
Before logging as one of the three users, let's try examine how looks upload.php file.
if (!isset($_SESSION['user'])) { die('You must be log in.'); }
        <form action='' method='post' enctype='multipart/form-data'>
            <input type='file' name='file' id='file' />
            <input type='submit' name='submit' value='Upload'/>
if(isset($_POST['submit'])) {
    if ($_FILES['file']['error'] <= 0) {
        $filename  = $_FILES['file']['name'];
        $filetype  = $_FILES['file']['type'];
        $uploaddir = 'upload/';
       $file_ext  = strrchr($filename, '.');
        $imageinfo = getimagesize($_FILES['file']['tmp_name']);
        $whitelist = array(".jpg",".jpeg",".gif",".png");

        if (!(in_array($file_ext, $whitelist))) {
            die('Not allowed extension, please upload images only.');

        if(strpos($filetype,'image') === false) {
            die('Error 001');

        if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] !=      'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
            die('Error 002');

        if(substr_count($filetype, '/')>1){
            die('Error 003');

        $uploadfile = $uploaddir . md5(basename($_FILES['file']['name'])).$file_ext;

        if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)) {
            echo "<img src=\"".$uploadfile."\"><br />";
        } else {
            die('Error 4');

OK, we can see that we have to use gif,jpg, jpeg and png extensions. I was trying a lot upload some PHP code, but without success... Probably upload functionality has been created correctly (secure).
Let's examine index.php file (I don't have more ideas).
//Multilingual. Not implemented yet.
if (isset($_COOKIE['lang']))
// Not implemented yet.
<title>PwnLab Intranet Image Hosting</title>
<img src="images/pwnlab.png"><br />
[ <a href="/">Home</a> ] [ <a href="?page=login">Login</a> ] [ <a href="?page=upload">Upload</a> ]
    if (isset($_GET['page']))
        echo "Use this server to upload and share image files inside the intranet";
We can see that lang is handled via include method, so maybe there is LFI?
BINGO! I have removed PHPSESSIONID parameter and add lang=../../../../../../../etc/passwd.

 Great! So, we can upload png file with injected PHP script and run using LFI and lang Cookie!

Excellent! We have got limited shell. So, let's try retrieved credentials to up our privileges.
BINGO! We can do that!


Very good. TRY HARDER!

Game over!