BSides Vancouver 2018 Workshop CTF
When I’m picking up a CTF challenges online I should need to go the public Internet Cafe to be able to download the VM and randomly pick any challenges solve it on my apartment. Because I don’t have Internet connection on my apartment.
It’s Sunday let’s start!
I scan the target to look for any possible attack vectors.
NMAP shows that there’s a FTP, SSH and HTTP, I checked the FTP first if the anonymous login are available.
And I’m not mistaken, anonymous login is enabled.
After navigating to FTP I found a list of username and keep it on my notes.
Now I’m stating my attack on port 80 using dirb to bruteforce any possible directories.
And I found this robot.txt file that disallowing /backup_wordpress.
Upon checking on /backup_wordpress I found the wordpress site with user john.
Using the username john I bruteforce the wordpress logins using the automated tools WPScan.
After a minute WPScan finished their process and the credentials are john/enigma.
And successfully authenticated.
Then my next move is to gain a shell from the server, using Metasploit I automated the upload of the PHP revershell on the wordpress site.
After gaining ashell, I upgraded my shell into interactive shell using a short python one liner scripts.
Upon checking I saw crontab that run every minute by root.
Upon checking this script is removing the apache logs using root user.
My next move is modify the script into a Python revershell, upon checking the Python version is 2.7.
Then I generated the Python revershell using MSFVenom.
Then I appended it the cleanup file.
And started my Metasploit listener.
Got the root after a minute.
Happy Sunday!