{THM} Differenct CTF
Last updated
Last updated
Hello there, we will tend to think differently in this room. In fact, we will understand that what we see is not what we think, and if you go beyond the purpose, you will disappear in the room, fall into a rabbit hole.ο»Ώ This machine kind of CTF type with steganography, RE and cryptography type. challenge.
As usual, scan the port and directory.
From directory scanner result, it shows this website are WordPress. But something does not supposed to be in WordPress directory is announcements.
Checking on announcements directory, found two file. Download it and try to crack using Steg cracker (Steganography CTF).
Why Im cracking this file? The author tag this machine with steganography since this the only place got image and wordlist. It might refer to steganography challenge.
After a while, we manage to crack the image. Let see what is about to get more and better understanding.
Further reading found that, this is encoded with base64. Decode it and you will find juicy information.
Another things I found it, it can upload file without restrictions. Let put our reverse shell here.
Yeah we manage to upload it, just the problem is, where is our reverse shell being located.
Let move to another things. Since we know our payload are they, just where its store.
From the listing file, one file is really caught my eyes.
From this file, we can read some credentials. Let find something we can do with phpMyAdmin since we have the permission.
We manage to get into database. So dangerous because attacker can drop database, modify and doing more that control the website. Other that, it store some important information that suppose not to be expose.
We got password for user in WordPress and another subdomain for this site. ( Im not gonna do this exploit).
Step 5 β User Access
Since we got another subdomain, let try locating our payload from early. And see our listener.
We got into www-data and manage to locate web flag. Next let change into hakanbey.
Using this tools to brute force su . Since we know the pattern of every password start with 123adana. Let sed it with the pattern we have.
sed 's/^/123adana/' /var/www/html/announcements/wordlist.txt > newlist.txt
Let make this working!
We manage to access as hakanbey with the credential given.
Using normal searching, found this binary are something. Binary is file that hold or might be execute something. Let check this file
Yes. We can proof that, since we have the ftp file that locate on subdomain and can retrieve using ftp. Let copy to that directory and do analysis on our machine.
Do the analyze in ltrace to check how this binary works in general
It will compare our input with warzoneinadana
Download the image to our machine and see in hex as it mentions.
Manually test every base and finally manage to get root password. Change the user into root and u have the access as root.
Unknown directory for WordPress.
Dangerous directory phpMyAdmin.
Sucrack with pattern password.
Reverse binary and find hidden directory.
Hidden password in image.
FTP permission to upload file.
