Windy's little blog

一切生活中的杂七杂八, and I like CTF.

Vulnhub bassamCTF: 1 Walkthough

Machine is here.

Nmap scan ports.

图片.png

Port 80 only has one file.

图片.png

Get domain name from index.html.

图片.png

Add it to /etc/hosts, then brute force vhost.

gobuster vhost -u http://bassam.ctf  -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt


Get another vhost name, add to hosts too.

图片.png

Gobuster scan.

Open index.php, looks like we can download file. So enter config.php.

图片.png


Check config.php, get a user pass pair.

图片.png

Ssh in as user test. Find two elf at /root/PassProgram.

图片.png

We enum a file named MySecretPassword, but all it bas is unprintable data.

图片.png

Decode the file with the elf. We get pass for kira.

图片.png


Kira can run sudo, and there is a test.sh in home folder.

图片.png

Then we can escalate to bassam.

图片.png


Again, sudo.

图片.png

Create script.sh on attacker machine, with reverse code in, and run http server.

图片.png

Modify hosts, add attacker machine's IP.

图片.png


Run down.sh, and we get root!

图片.png

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0