Hack the ch4inrulz: 1.0.1 (CTF Challenge)

Hello readers and welcome to another CTF challenge. This VM is made by Frank Tope as you’ll see in the very homepage on the server’s website (his resume). Nice touch, if I might add. Anyhow, you can download this VM from vulnhub here. The aim of this lab is to get root and read the congratulatory message written in the flag.

I would rate the difficulty level of this lab to be intermediate. Although, there were no buffer overflows or unnecessary exploit development, yet it did make us think a little.

Steps Involved:

  1. Port Scanning and IP clutching.
  2. Directory busting port 80.
  3. Directory busting port 8011.
  4. Discovering LFI vulnerability.
  5. Discovering an HTML backup file.
  6. Cracking password hash
  7. Logging in /development
  8. Uploading a PHP shell disguised as GIF file.
  9. Bypassing the check and triggering the file to get a netcat shell.
  10. Privilege escalation to get flag.

Alright then, let’s head into the VM all the way in.

First step is as always, running netdiscover on the VM to grab the IP address. In my case the IP was 192.168.1.103.

 

Once the IP was found, we ran nmap aggressive scan to enumerate all the open ports.

What was there to wait for after we saw port 80 open! We headed straight into the browser and a webpage got displayed which looked like a single page resume.

After not finding much, we chose to ran directory buster dirb.

 

Robots.txt seemed interesting at first but it had nothing at all. Another directory was /development. It looked like a testing site since it asked for the authentication.

We then chose to look into port 8011, after finding not much of the info. It looked like a backend to development directory.

We ran one more dirb scan on this port.

We found an interesting directory called /api. We opened it in the browser immediately.

We modified the URL parameter to /api/<api-name> but only one api seemed to be working and that was files_api.php

 

A message said “no parameter called file passed to me.” It gave us a hint that we had to pass a parameter called file.

HAHA. They got us. But still there was another thing left to try—by passing parameter through curl.

As you can see, LFI is present here!

 

Now, we tried some methods, put our hands here and there but nothing worked with this LFI.

Meanwhile, another thing that got our attention was the development server. You had a development site, you have a development server, and hence there would be more than one html files or copies of html files (backups).

One such common file is index.html.bak

It was an arrow in the dark but it hit the bullseye!

We saved it and read it using cat utility.

It had a password hash! It took us no time to copy this in a text files called hash.txt and run John the Ripper on it.

It surely were the credentials to /development authentication.

frank:frank!!!!

 

And it opened up like a beautiful treasure!

The message on this page said that the uploader tool was only half completed. So, we went to /uploader directory

The uploader had a security check for images only (jpg, png, gif) and a size limitation too.

So, here is what we did.

Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php

Open it with text editor and add GIF98 in the first line and save this file as shell.gif

Now, what this will do is that it will trick the uploader in believing the file is GIF when in reality, it is a PHP reverse shell.

So, we upload shell.gif using the uploader and the following message was received.

 

Now, the author said file was uploaded to his uploads path. Let’s get a little perspective here.

Website’s name: Frank’s website

Uploader’s name: Frank uploader.

First message on website: I love patterns

It took a while for us but we guessed it in the end, the upload’s directory would be named frank uploads.

We tried many permutations for this directory like: Frankupload, frankUploads, franksuploads etc. but the one that seemed to hit was FRANKuploads.

This step was tedious and time consuming as there was no straight connection from anywhere to this directory.

Now, all was left to trigger this file. We know for a fact that double clicking won’t do us any good so we used curl once again to get shell.

We activated netcat on a terminal side by side and typed this following curl command:

 

On other terminal, we had activated netcat:

 

As soon as curl triggered the LFI vulnerability and requested for shell.gif, we got a netcat session!

After a bit of surfing, we found a Linux Kernel exploit for version 2.6

 

On our vm shell, we downloaded this exploit, compiled it and ran it to get root!

Voila! We got root!

 

And there it was, the flag. Hope you enjoyed because we surely ddi!

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Related Posts Plugin for WordPress, Blogger...

3 Comments Hack the ch4inrulz: 1.0.1 (CTF Challenge)

  1. snowman

    You didn’t have to “guess” the upload path at all. You could’ve checked the source code to the upload.php file by using php://filter.
    test

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *