Cybersecurity Solutions and Support Services

    Vulnhub Kira: CTF Walkthrough

    This is from the latest releases on Vulnhub but it does not have a description.  I think this box was either on the TryHackMe platform or maybe it was accepted to that platform.  The flags are the giveaway and due to their specific look, I don't think it's a coincidence.  Anyway, moving on...

    We kick off with Nmap:

    Not much to do other than check out the web port:

    We have a couple of options but the language button just begs to be Local File Inclusion (LFI):

    Shocking.  We are able to read /etc/passwd and if we view source, it cleans it up a bit more for us:

    The user bassam sticks out and we'll save that for possible later use.  Moving back to the upload function:

    I upload an image just to see how it functions and to capture the request in Burp:

    Rather than use the LFI, I wanted to see if I could bypass the image upload but I got bored and moved on after several attempts.  If we upload Pentest Monkey's reverse shell and capture it in Burp, we can modify the Content-Disposition and Content-Type.  Honestly, I don't think we need to do the latter, I just changed it for good measure:

    When we submit:

    We get the success message.  Now we can hit the file in the /uploads directory with the LFI:

    With our netcat listener setup already:

    We catch the inbound shell.  We move into the web directory to look around and we find:

    We have bassam's password.  We su to bassam and check our sudo privileges:

    We can run the find command as sudo and we use GTFOBins to get the syntax for escalation for root.  One last thing to do:

    I was moving so fast, I didn't even bother to get the user flag on my way.  It's two for one sale. 

    Not a bad beginner box.  Wish it had more moving parts. 

    © 2020