11 April 2021

Pentesting Fun Stuff

following the cyber security path…

HackDay CTF 2016 (Albania)




Hack Day Albania is the event that brings together students passionate about cyber security. This activity is organized for the second consecutive year from ALCIRT with the support of MIAP.

Getting Started

Starting with a nmap scan.

No usable banner information at port 22. Checking the website on port 8008.
The nmap scan showed the use of ‘robots.txt’. It has a long list of restricted pages.
Because I don’t speak Albanian, I need to let Google translate the found text:   If I am, I know where to go;)
After removing the pop-up box Elliot from the show Mr. Robot is visible.
First checking the source code. There is a comment at the bottom:   OK ok, but not here :)
The background picture didn’t had any information in it, so I start with the first page on the ‘robots.txt’ page.
Great…..Memes with Albanian text. I hope Google don’t mess up the translations and I get pointed into the wrong direction.
The translated text on the meme is:   Is this the proper directory. Or is it jerk.
Right. After checking the second page it seems I’m being trolled. To automate my search a bit I create a small bash script to cURL the pages for me and give me back the html. If there is a different page, the outcome should tell me.

When entering a single quote, I get the following error.
Looks like a SQLi vulnerability. At first I tried SQLMap, but it couldn’t retrieve the databases. After a while I searched the internet for some information about SQL authentication bypass and after a while I found a nice list which I could load up into Burpsuite. Unfortunately I couldn’t get this to work either. But the idea of the list sounded good. So i started to probe it manually and after some time (a lot), I got in using the string   '%1#.
An uploading mechanism. First I tried to upload a php file containing   phpinfo().
To bypass the security I change the filename and MIME type with burpsuite.
When I view the ticket I see that the command is being executed.
Time for a reverse shell. For the reverse shell I use the php script from pentestmonkey and upload it to the server. From the browser I view the ‘ticket’ and the script gets executed. I have my reverse shell.

Now for some reconnaissance.

So ‘taviso’ is in the sudo group and the /etc/passwd is writable.

And that’s it. The last part said: Congratulations, Now begins the report! (or at least that’s what Google makes of it).
The flag is a md5 hash > plaintext = rio

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.