BSides Vancouver 2018 Workshop CTF

When I’m picking up a CTF challenges online I should need to go the public Internet Cafe to be able to download the VM and randomly pick any challenges solve it on my apartment. Because I don’t have Internet connection on my apartment.

It’s Sunday let’s start!

I scan the target to look for any possible attack vectors.

NMAP shows that there’s a FTP, SSH and HTTP, I checked the FTP first if the anonymous login are available.

And I’m not mistaken, anonymous login is enabled.

After navigating to FTP I found a list of username and keep it on my notes.

Now I’m stating my attack on port 80 using dirb to bruteforce any possible directories.

And I found this robot.txt file that disallowing /backup_wordpress.

Upon checking on /backup_wordpress I found the wordpress site with user john.

Using the username john I bruteforce the wordpress logins using the automated tools WPScan.

After a minute WPScan finished their process and the credentials are john/enigma.

And successfully authenticated.

Then my next move is to gain a shell from the server, using Metasploit I automated the upload of the PHP revershell on the wordpress site.

After gaining ashell, I upgraded my shell into interactive shell using a short python one liner scripts.

Upon checking I saw crontab that run every minute by root.

Upon checking this script is removing the apache logs using root user.

My next move is modify the script into a Python revershell, upon checking the Python version is 2.7.

Then I generated the Python revershell using MSFVenom.

Then I appended it the cleanup file.

And started my Metasploit listener.

Got the root after a minute.

Happy Sunday!