Hii Guys,
Today will solve a CTF challenge
The Library:1 from vunlhub which is relatively an easy machine and absolutely for beginners, so let's get start......
netdiscover -r 192.168.96.0/24
As usual, will start with netdiscover command to get an IP address of the target machine and it can be seen in the snapshot below:
 |
| finding the target |
Finding open ports and services via namp
I found 2 open ports on the target machine, Port 21 and 80. Then I tried anonymous login in FTP but it didn't work, then tried enumerating port 80 as in the snapshot below:
 |
| nmap results |
 |
| searching for vsftpd 3.8.3 in searchsploit |
 |
| enumeration of port 80 |
Enumeration of port 80
I tried using a tool called gobuster to find hidden directories/files but failed every time, then I used -X option in go buster to find specific types of extension files and I got a hidden file called library.php
 |
| gobuster |
 |
| library.php file |
finding SQL injection in the cookie
I started my burp and intercepted the request and saw a parameter called country I tried finding SQL injection in same but no luck, there was another parameter(A JSON request) in the cookie which was URL encoded I decoded it using burp decoder
 |
| country parameter |
 |
| decoded JSON parameter in the cookie |
I found the possibility of a SQL injection in this parameter laterally which I had no idea how to exploit.
Then I googled exploits for SQL injection in JSON request via sqlmap then I found something interesting
here and I copied entire burp request in a file and put a "*" in the cookie and ran sqlmap but it didn't work for me
 |
| sqlmap |
I did many things but failed again and again, where was I going wrong, it was frustrating.
but again I ran sqlmap and I found my mistake, it was very silly, So make sure to you follow the instructions below.
- custom injection marker ('*') found in option
'--headers/--user-agent/--referer/--cookie'. Do you want to process it?
[Y/n/q]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::Y
- you provided a HTTP Cookie header value. The target URL provided
its own cookies within the HTTP Set-Cookie header which intersect with yours.
Do you want to merge them in further requests? [Y/n]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
n
- do you want to URL encode cookie values (implementation specific)?
[Y/n]::::::::::::::::::::::::::::::::: n
when I answered Yes to the first question and no for the next two, and it worked!
 |
| databases running |
 |
| FTP user and pass |
I got
globus and
AroundTheWorld as username and password and, they worked!
 |
| ftp |
Getting a reverse shell via FTP server
I was looking for some juicy file in FTP but then I found that the website was running on FTP server then I decided to take a reverse shell via file upload on FTP server, I created a reverse shell payload in PHP via msfvenom
 |
| PHP rev_shell msfvenom |
then I uploaded it on the server via PUT command but before upload, we have to give it execution permission otherwise it won't work
 |
| putting a shell in server |
 |
| giving it execution permissions |
then we have to set up a listener to get a reverse connection on the attacker's machine
 |
| metasploit framework |
and once I looked for shell.php in the browser I got a reverse connection on my attacker's machine
then there are certain things which we have to follow after getting a reverse shell, one of them is to change to reverse shell into an interactive shell, there are various cheatsheet available on the internet but usually, I use
This one
 |
| interactive shell |
I found the source code of library.php file in which there was a credential I saved it for future reference
Getting a root Privilege shell
I changed user as I had the credentials of globus
then I wanted its root shell I tried various things for the same I tried
g0tmi1k's cheatsheet for privilege escalation but it didn't work, then an idea came to my mind why am I not using the creds which I got, and I tried them and then
I was root :)
Thanks For Reading :)
Try Harder......
Reach me@
Portfolio
I was root :)
