The Library: 1 vulnhub walkthrough

Hii Guys,

Today will solve a CTF challenge The Library:1 from vunlhub which is relatively an easy machine and absolutely for beginners, so let's get start......

netdiscover -r

As usual, will start with netdiscover command to get an IP address of the target machine and it can be seen in the snapshot below:

finding the target

Finding open ports and services via namp

I found 2 open ports on the target machine, Port 21 and 80. Then I tried anonymous login in FTP but it didn't work, then tried enumerating port 80 as in the snapshot below:

nmap results
searching for vsftpd 3.8.3 in searchsploit 

enumeration of port 80

Enumeration of port 80

I tried using a tool called gobuster to find hidden directories/files but failed every time, then I used -X option in go buster to find specific types of extension files and I got a hidden file called library.php

library.php file

finding SQL injection in the cookie

I started my burp and intercepted the request and saw a parameter called country I tried finding SQL injection in same but no luck, there was another parameter(A JSON request) in the cookie which was URL encoded I decoded it using burp decoder

country parameter
decoded JSON parameter in the cookie
I found the possibility of a SQL injection in this parameter laterally which I had no idea how to exploit. 

Then I googled exploits for SQL injection in JSON request via sqlmap then I found something interesting here and I copied entire burp request in a file and put a "*" in the cookie and ran sqlmap but it didn't work for me

I did many things but failed again and again, where was I going wrong, it was frustrating.

but again I ran sqlmap and I found my mistake, it was very silly, So make sure to you follow the instructions below.
  •        custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::Y
  •         you provided a HTTP Cookie header value. The target URL provided its own cookies within the HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n]::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: n
  •     do you want to URL encode cookie values (implementation specific)? [Y/n]::::::::::::::::::::::::::::::::: n 
when I answered Yes to the first question and no for the next two, and it worked!

databases running

FTP user and pass
I got globus and AroundTheWorld as username and password and, they worked!


Getting a reverse shell via FTP server

I was looking for some juicy file in FTP but then I found that the website was running on FTP server then I decided to take a reverse shell via file upload on FTP server, I created a reverse shell payload in PHP via msfvenom

PHP rev_shell msfvenom
 then I uploaded it on the server via PUT command but before upload, we have to give it execution permission otherwise it won't work

putting a shell in server

giving it execution permissions
then we have to set up a listener to get a reverse connection on the attacker's machine   

metasploit framework

and once I looked for shell.php in the browser I got a reverse connection on my attacker's machine 

then there are certain things which we have to follow after getting a reverse shell, one of them is to change to reverse shell into an interactive shell, there are various cheatsheet available on the internet but usually, I use This one

interactive shell
I found the source code of library.php file in which there was a credential I saved it for future reference

Getting a root Privilege shell  

I changed user as I had the credentials of globus

then I wanted its root shell I tried various things for the same I tried g0tmi1k's cheatsheet for privilege escalation but it didn't work, then an idea came to my mind why am I not using the creds which I got, and I tried them and then

 I was root :)

Thanks For Reading :)
Try Harder......
Reach me@Portfolio