I’m back with another CTF walkthrough / diary. I was hungry for some action learning, so I went to VulnHub and picked a CTF somewhat randomly. Today’s fun is a CTF VM called: Freshly.
Let’s jump right into it. I ended up using VirtualBox to host this VM as my VMware Workstation 11 complained about importing the OVA.
Step One: Find My Target & Start Info Gathering
$ nmap -sP 192.168.1.1/24
Sweet, I’ve got the IP for the target and now it’s time to roll.
After visiting the IP in my browser, I’m greeted with this picture:
I went looking for a Robots.txt, but none was found (darn).
Next, I did a scan to see what ports were open.
$ nmap -sV -A 192.168.1.149
So, it looks like I have a few ports to check out.
First bit of business is to hit 443, so I pull it up in my browser. After confirming some security, I’m greeted with a linked text.
Clicking the link goes to /wordpress/. Interesting.
Step Two: Wordpress Fun
Here are the steps I went through:
- I visited the readme.html page to see if it was there. It was and shows WP version 4.1.6
- It looks like the site is using some plugins, such as Contact Form 4.1, Cart66 Lite 1.5.3, etc.
- I decide to run WP SCAN against the site to speed up info gathering.
$ wpscan -u https://192.168.1.149/wordpress/ -e u,ap,tt,at
It’s my machine and I had something to do, so I didn’t mind running the above command (lots of looking and lots of time).
Right away I can see that this site is using a couple out-of-date plugins, which have vulnerabilities.
So I started messing with a possible Pro Player SQL injection vulnerability, but I’ve decided to hold off a little and keep looking for information.
Now I’m going to back and running dirbuster on the main site.
Here are the directory goodies I found quickly:
Ok, time to look into this further.
Step Three: SQL Checking
I found about about the tool sqlmap, which I had never used. After checking it out, I used the following command to get it going:
$ sqlmap -u http://192.168.1.149/login.php --data="user=1&password=1&s=Submit"
That’s pretty neat info there. Let’s see if there’s more it can do.
Next command is similar, but we’re specifying the database system and looking looking for database names.
$ sqlmap -u "http://192.168.1.149/login.php" --data="user=1&password=1&s=Submit" --dbms=mysql --dbs
After a handful of minutes, I’m presented with a listing of available databases:
available databases :
Sweet! All the monies are on wordpress8080 being the WP db,so let’s hit it. Also of note are some curious DB names, like login and users. Let’s advance things.
I’m going to run sqlmap again and this time add the table name.
$ sqlmap -u http://192.168.1.149/login.php --data="user=1&password=1&s=Submit" --dbms=mysql --tables -D wordpress8080
Alright, there’s a table called users here, so next I’m going to use that table name with sqlmap to get some more information (I hope).
$ sqlmap -u http://192.168.1.149/login.php --data="user=1&password=1&s=Submit" --dbms=mysql --dump --T users -D wordpress8080
So now I have some credentials to work with. Since I’m here and in sqlmap, I’m going to check out the users and login databases.
First, the login db.
For user_name, I was able to retrieve candyshop.
And for users, I retrieved:
Very interesting. I know have multiple credential options.
Finally, I’m going to check out the users db.
I received an error when trying to get tables, so I’m moving on. If needed, I’ll revisit this issue.
Step Four: Credential Checking & Completion
I went back to /login.php and tried candyshop/password and Sir/PopRocks. I noticed the the resulting integer below the form changed from 0 to 1 (perhaps to signify a login state?).
Ok, let’s go to /wp-admin/ now and see if we can get into the WordPress site.
Upon arriving, I’m presented with a page to update the DB. I confirm and continue right into the login screen.
And . . . I’m in. I’m now in control of the Wordpress site. What now? :)
php web shell
# SECRET = "NOBODY EVER GOES IN, AND NOBODY EVER COMES OUT!"
I had a fun time doing this CTF. I recommend it for those just starting out, especially those with an interest in all things Wordpress.
If you’re interested in sqlmap, check out Tool Time - SQLMap.