Last updated
Last updated
PwnTillDawn Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun! The goal is simple, break into as many machines as possible using a succession of weaknesses and vulnerabilities and collect flags to prove the successful exploitation. Each target machine that can be compromised contains at least one βFLAGβ (most of the times a file and typically located in the userβs Desktop, or the userβs root directory), which you must retrieve, and submit in the application. The flag is in the majority of the cases in a SHA1 format but not always.
This is my first ever platform that I used when learning and got my hand dirty. At that moment, I donβt do any write up on how I gain the flag. So, this is my write up on this box.
We need to scan all possible network in our environment. In this case, I skip the step since this machine are continue machine from learning process (pawn academy).
Next we continue with scanning open port.
sudo nmap -sC -sV -A pwndrive -o nmap -T 5 -vv
We got tone of interesting port here. Let see port 80 and 443.
It works. Now it time to discover all directory for this webserver. And in the same time I try with nmap script since port 445 is open. What does port 445 do?? wooohhhh
Port 445 is a Microsoft networking port which is also linked to the NetBIOS service present in earlier versions of Microsoft Operating Systems. It runs Server Message Block (SMB), which allows systems of the same network to share files and printers over TCP/IP. This port shouldn't be opened for external network..
gobuster dir -u http://pwndrive -t 50 -w usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
We got tone of directory, and what make shock is, we can easily add, delete and manage user without any credentials needed.
Not only that, at login page, we can inject sql in login form using
admin"#
Whooo⦠Just like that we can enter as admin. As we know before, it also have upload directory and allow us to upload file. Now let put our payload in form php5. Why php5, normally some system not allowed php file being uploaded. By adding any number at the end of it, it will bypass the restriction made by system .
Back to place where I can modify add, delete and manage user. I try to add myself as admin and yeah. I can do it.
Next, let fire up our listener and put payload in this server.
Unfortunately, no connection can be done. Maybe this system want us exploit using another way.
Remember our scanning port 445. Let confirm it with nmap script for vulnerable
nmap -p445 --script vuln pwndrive
It shown this machine is vulnerable. Hurm.. Let do some research on what this vulnerable is about.
It have multiple way to exploit this machine I will show the simple step to get this machine.
Our lovely tools, Metasploit. Let search which module we should use for this exploitation.
I choose the 0. Let setup our options with valid value. After that, run and exploit this machine.
After few moment, we manage to get in. Before that, we need to create shell.
Discover home and user. Since we can access administrative directory. Let move to it.
We got the flag for this machine. Thank for reading.
SMB vulnerability
Multiple way to exploit. Not only LFI, SQLI and etc.
Always jot down every finding, steps on way getting the flag or access.
