Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

HackDay CTF 2016 (Albania)

Location

https://download.vulnhub.com/hackday/HackDay-Albania.ova

Introduction

Hack Day Albania is the event that brings together students passionate about cyber security. This activity is organized for the second consecutive year from ALCIRT with the support of MIAP.

Getting Started

Starting with a nmap scan.

No usable banner information at port 22. Checking the website on port 8008.
website01
The nmap scan showed the use of ‘robots.txt’. It has a long list of restricted pages.
Because I don’t speak Albanian, I need to let Google translate the found text:   If I am, I know where to go;)
After removing the pop-up box Elliot from the show Mr. Robot is visible.
First checking the source code. There is a comment at the bottom:   OK ok, but not here :)
The background picture didn’t had any information in it, so I start with the first page on the ‘robots.txt’ page.
Great…..Memes with Albanian text. I hope Google don’t mess up the translations and I get pointed into the wrong direction.
The translated text on the meme is:   Is this the proper directory. Or is it jerk.
Right. After checking the second page it seems I’m being trolled. To automate my search a bit I create a small bash script to cURL the pages for me and give me back the html. If there is a different page, the outcome should tell me.

vulnbank01
vulnbank02
vulnbank03
When entering a single quote, I get the following error.
vulnbank04
Looks like a SQLi vulnerability. At first I tried SQLMap, but it couldn’t retrieve the databases. After a while I searched the internet for some information about SQL authentication bypass and after a while I found a nice list which I could load up into Burpsuite. Unfortunately I couldn’t get this to work either. But the idea of the list sounded good. So i started to probe it manually and after some time (a lot), I got in using the string   '%1#.
vulnbank05
An uploading mechanism. First I tried to upload a php file containing   phpinfo().
lfi01
To bypass the security I change the filename and MIME type with burpsuite.
lfi02
When I view the ticket I see that the command is being executed.
lfi03
Time for a reverse shell. For the reverse shell I use the php script from pentestmonkey and upload it to the server. From the browser I view the ‘ticket’ and the script gets executed. I have my reverse shell.

Now for some reconnaissance.

So ‘taviso’ is in the sudo group and the /etc/passwd is writable.

And that’s it. The last part said: Congratulations, Now begins the report! (or at least that’s what Google makes of it).
The flag is a md5 hash > plaintext = rio
 
THE END
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.