BTRSys v1: CTF walkthrough
We can find the IP address of the vulnerable system with arp-scan.
We scan the targeted system with nmap.
We can use the FTP service (as anonymous) but the directory is empty. So, only the port 80 will be used.
Weirdly, gobuster didn’t find the login.php page, so, I used nikto.
The login.php page is a basic login page but two restrictions need to be bypass.
The username need to contain “@btrisk.com” string and we can’t use a single quote for the password. All that sound like an HTTP form vulnerable to an SQL injection. After different tries, this one seems to work for me: a’ or 1=1;#
We have access to a file input form, I hope this input is sanitised.
From JPG to reverse shell
One more time, this input have only one restriction. We can upload only JPG, GIF or PNG files.
The problem with that, is that the security check is done only in the client side. So, if we intercept the sent packet with Burp Suite and if we change the extension of the file for a php file we will be able to upload a php reverse shell.
We generate a php reverse shell called shell.jpg.
We configure our Metasploit handler.
Finally, we configure Burp Suite to intercept the outgoing traffic, we upload the rshell.jpg file and then we change the extension of our reverse shell.
Now, we have a reverse shell.
First of all, we start a shell.
Then we will take a look at this interesting file: config.php.
We found MySQL credentials.
Let’s use them and explore the MySQL database “deneme”.
Now, we will show the content of this table.
Two users with the same password.
We have a root access to this system.