Hi, Everyone;
This is my Walkthrough of “y0usef” and this CTF designed by y0uself, hope you all enjoy it. :) Also thanks a lot y0uself.
Link: https://www.vulnhub.com/entry/y0usef-1,624/
Task; Take 2 flag ( user.txt & root.txt )
Walkthrough
Network Scanning
First we start nmap for search some usefull ports.
nmap -p1–65535 -T4 -A -v 10.0.2.34
Now we know that the server is serving HTTP (apache 2.4.10) on port 80 and also we have SSH (OpenSSH 6.6.1p1) on 22 port.
When we visiting the site, we see just “Sorry, the site is unter construciton soon, it run “…
I checked the source code of the page, unfortunately there wasn’t anything interesting there. Since we have nothing else to go on, I start some gobuster scans. I use alot of dict for scan but i have nothing. Then at “/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt “ Yeah, finally i have one :)
I then tried to access “adminstration” but site gives a warning: “Forbidden You don’t have permisson to access on this folder”. Wait i will try to bypass but first i need to scan this folder.
Pff, othing usefull. I tried to find .txt,.php,.html,.js etc with gobuster -x parameters. :( Now we go “/adminstration and try to access there. Now we use BurpSuite to access there and we will use “ X-Forwarded-for” for bypass header. Start BurpSuite and send Reapeater.
and we will add X-Forwarded-for: localhost
Bingo! We bypassed :) Now we tried to acsess this page with BurpSuite -> Right Click -> Request in browser -> in current browser session.
Nothing was found at source code. Now we will bypass login with BurpSuite. We will try login with id: admin pw:admin and add X-forwarded-for: localhost also sent repeater. And then sent and BINGO! We baypass the login.
Now we tried to accsess this page with BurpSuite -> Right Click -> Request in browser -> in current browser session.
Done. We have admin panel now. We will try to upload reverse shell but it asks for a document, so we will try diffent way. Add “GIF89” to the first line and change the file name into Reverse.php.png and we can upload the file, but we need to change the name with BurpSuite. Don’t forget to change the IP address and port at reverse.php because we need to listen. Start BurpSuite and Proxy-> Intercept is on. Then upload the file.
Delete “.png” and GIF89; and then Forward.
“ file uploadad files/1608542735Reverse.php” Done :) Now we need to listen to reverse.php with netcat
Try to access “http://10.0.2.34/adminstration/upload/files/1608542735Reverse.php” done we got it :)
Privilege Escalation
We need to access terminal and type 2 lines;
export TERM=xterm
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
We need need to take our first user flag :)
Lets Go Root Flag. First, we need to see our permissons.
find / -perm -u=s -type f 2>/dev/null
We tried to access root with these permissions but nothing happens J Also, we try pspy32 and linenum, Nope, again, nothing happens J So we use a simple way; find out linux version.
uname -a
Linux yousef-VirtualBox 3.13.0–24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 i686 i686 GNU/Linux
Now Search Exploit with Linux 3.13.0–24
We need to download this exploit
searchexploit -m 37292.c and upload it our web service “ service apache2 start”
Move the 37292.c file to “/var/www/html” so We need to download and exploit at tmp folder
Starting to Exploit, yess! We have the root :)
Finally, we got our root flag…
Done :)
It’s a very useful machine, I’ve learnt a lot about “X-Forwarder-For”.
Thanks again y0uself.:)
Turkish Write Up at Youtube → https://youtu.be/JNMG0btPmwA