Vulnhub Kira: CTF Walkthrough

by Vince
in Blog
Hits: 764

This is from the latest releases on Vulnhub but it does not have a description.  I think this box was either on the TryHackMe platform or maybe it was accepted to that platform.  The flags are the giveaway and due to their specific look, I don't think it's a coincidence.  Anyway, moving on...

We kick off with Nmap:

Not much to do other than check out the web port:

We have a couple of options but the language button just begs to be Local File Inclusion (LFI):

Shocking.  We are able to read /etc/passwd and if we view source, it cleans it up a bit more for us:

The user bassam sticks out and we'll save that for possible later use.  Moving back to the upload function:

I upload an image just to see how it functions and to capture the request in Burp:

Rather than use the LFI, I wanted to see if I could bypass the image upload but I got bored and moved on after several attempts.  If we upload Pentest Monkey's reverse shell and capture it in Burp, we can modify the Content-Disposition and Content-Type.  Honestly, I don't think we need to do the latter, I just changed it for good measure:

When we submit:

We get the success message.  Now we can hit the file in the /uploads directory with the LFI:

With our netcat listener setup already:

We catch the inbound shell.  We move into the web directory to look around and we find:

We have bassam's password.  We su to bassam and check our sudo privileges:

We can run the find command as sudo and we use GTFOBins to get the syntax for escalation for root.  One last thing to do:

I was moving so fast, I didn't even bother to get the user flag on my way.  It's two for one sale. 

Not a bad beginner box.  Wish it had more moving parts.