Hello, in this article I will show you step by step how to solve Simple CTF. The purpose of this CTF will be to become root and read flag. Click to get more information about CTF.
LEVEL : Very Easy
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb tool
- Upload PHP Reverse Shell Script and get session
- Becoming root using Kernel Exploit
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.1.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV -p- 192.168.1.4
Fuzzing was performed via dirb on open port 80.
dirb http://192.168.1.4/
The paths obtained in the dirb output were checked, but no data was found. In the resulting output, the endpoint named “/uploads” was noted for future use.
A request was made to Index.php and redirection was made in the form below. Here, registration is completed by entering user information.
After the registration process, user information was entered and redirected to the index.php page. When looking at the page structure, it is understood that File Upload can be done. Since the application is written in PHP, a script that will create a PHP Reverse Shell has been uploaded.
After the File Upload process is completed smoothly, a request must be made to trigger the uploaded PHP Script. It has been determined that the relevant script is not kept in the root directory of the application, but in the /uploads directory, which was noted previously.
At this stage, the request was made by clicking on the relevant script.
Before sending a request to the script, the listen port was opened for the Reverse Shell connection as follows and the connection from the target application to the Kali machine was waited. This connection was obtained by requesting the Reverse Shell Script through the application.
nc -nvlp 9999
Some attempts were made on the Privilege Escalation side, but no results were obtained. The final step here is to download an exploit suitable for the kernel version of the target machine and become root. Below, this process is carried out step by step.
gcc 37292.c -0 exploit
./exploit
cd /root
cat falg.txt
Summary
- I think it is an enjoyable machine with simple scenarios such as Port enumeration, Fuzzing, File Upload Reverse shell and kernel exploit. I recommend solving it at the beginning.
Click here to see my other articles about OSCP Walkthrough. Link
