This is a writeup of JIS-CTF: VulnUpload VM from Vulnhub.
Challenge: There are five flags on this machine. Try to find them. It takes 1.5 hour on average to find all flags.
Difficulty: Beginner
Date release: 8, Mar, 2018
Author: Mohammad Khreesha
Write-Up
Getting IP address:
I was able to run this on vmware even though it says on the page only working with virtualbox.
I configured the VMs (attacker and target) in host-only network, my host-only network has the IP: 192.168.199.0.
On running nmap:
Press enter or click to view image in full size
I found the IP to be 192.168.199.131, this is the result on a browser:
Press enter or click to view image in full size
Information Gathering:
I decided to run nikto and see what useful information I would get:
Press enter or click to view image in full size
It found several directories and also a robots.txt file.
Press enter or click to view image in full size
After loading the robots.txt file, I saw one of the directories listed is flag.
Press enter or click to view image in full size
After checking it out. Boom! Our 1st flag!!
I did some exploring on the other directories listed on robots.txt file but most displayed nothing except the /admin_area :
Press enter or click to view image in full size
The page just displayed “The admin area not work :)” but on inspecting the page we find our 2nd flag!! commented out. There is also some login credentials.
Get Michael Ikua’s stories in your inbox
Join Medium for free to get updates from this writer.
I tried login with those credentials and got a successful login:
Press enter or click to view image in full size
Exploitation:
For exploitation I decided to try uploading a php-reverse-shell file which can already be found in kali, I copied mine to desktop and renamed it to exploit.php:
Press enter or click to view image in full size
I edited ip to my attacker’s ip and port to port I want to listen on.
I then opened a netcat listening session on port 4444:
Press enter or click to view image in full size
Press enter or click to view image in full size
Uploading the file didn’t give any errors so it was successfully uploaded. I ran it by changing the url to /uploaded_files/exploit.php and going back to the netcat session we get a reverse-shell :
Press enter or click to view image in full size
After looking around, I went to the webserver directory /var/www/html and found flag.txt file but didn’t have permission to read it.
But, there is a hint.txt file, on checking it I get the 3rd flag!! :
Press enter or click to view image in full size
The hint there made me spend a while on there but after googling and read another writeup, it turns out the file is hidden in a secret location not hidden in a linux sense that it’s not visible.
I decided to find files that belong to user technawi and have readable content :
Press enter or click to view image in full size
After searching I get the credentials.txt and there’s the 4th flag!!.
I used the password and switched user to technawi so that I can read the flag.txt file:
Press enter or click to view image in full size
At first try the su (switch user) did not work as it needed to be run from a terminal, so using that python command I spawn a shell. However, this VM only had python3 installed so I had to use python3 to run the command. After changing user to technawi the flag.txt has our 5th flag!! which is also the last flag.
After thoughts:
It was a simple CTF challenge even for me as a beginner, even though I didn’t immediately understand the hint and had to look for help from another writeup.
I will definitely be doing more challenges like this and write about them.