- Author Description
- Web Application Analysis
- HTTP Proxy SSH Connection
- Local Enumeration
- MySQL Credentials
- Privilege Escalation - Password Reuse
This CTF was designed by Telspace Systems for the CTF at the ITWeb Security Summit and BSidesCPT (Cape Town). The aim is to test intermediate to advanced security enthusiasts in their ability to attack a system using a multi-faceted approach and obtain the “flag”.
You will require skills across different facets of system and application vulnerabilities, as well as an understanding of various services and how to attack them. Most of all, your logical thinking and methodical approach to penetration testing will come into play to allow you to successfully attack this system. Try different variations and approaches. You will most likely find that automated tools will not assist you.
Author: Telspace Systems
Host Service Enumeration
Apache httpd 2.2.22 ((Debian))
Squid http proxy 3.1.20
Web Application Analysis
The basic test below indicated the web application could be vulnerable to SQL injection.
SQL Injection looked possible + DB identified as MySQL:
Enumeration indicated the web application was filtering the SQLi attempts and removing some characters, such as
OR. This was overcome (after researching for SQLi filtering evasion) using the following:
With no direct access to SSH the above credentials could not be leveraged to gain a Shell.
HTTP Proxy SSH Connection
The following was used to gain access to the SSH server by proxying the connection through the open SQUID server on the target machine.
Setup tunnel with proxytunnel:
SSH through the HTTP tunnel:
/bin/sh needed to be postfixed to the end of the SSH command, as the server appeared to kick connections upon connection.
Enumeration as the user John discovered the MySQL root credentials:
The following process was used to disclosed the users credentials:
Privilege Escalation - Password Reuse
Password reuse for the user
sara was possible using the previously discovered credentials.
The user sara had sudo access to the binary
/bin/cat, path traversal was used to cat the contents of
/root/flag.txt which contained the root password.
With the previously discovered credentials it was possible to
su - to root:
I enjoyed the SQL injection filtering evasion, overall a short CTF that can easily be done in an evening.
Thanks for the VM :)