g0rmint: CTF walkthrough
First of all let’s find the IP address of the vulnerable system. As usual we use arp-scan.
hen we scan the system to find which ports/services are running.
If we call and enumerate the root of the web folder we will find the robots.txt file.
Now, we can focus our research in the g0rmint sub directory. After playing with the website to understand what do what and what is our possibilities we can start reading the source code. An interesting thing can be found in the index.php page.
Finally we can download a backup of the website.
The content of the unzipped file:
After some research we can find three interesting things.
First, we can find the email and the username of a user in the header of a CSS file.
Second, we can reset the password of a user if we have his username and his email. (reset.php)
Moreover, as we can see, the new password is based on a generated date and in the bottom of the reset.php file the same date (format) is displayed. So, we can easily find the new password.
Finally, we can see that log files are created without enough sanitising, allowing us to inject PHP code in log files and to execute arbitrary commands. (config.php)
Note, we have to bypass the addslashes PHP function.
Reseting the password
First of all we reset the password of the previously found user.
Then we use the date at the bottom of the page to guess the new password. This simple PHP code can be use:
In this case the new password will be:
We are now able to log in the web application.
Remote code execution
As we saw in the part 0x02, log files are create without enough sanitising , that would says we can inject PHP code in log files. For that, we inject our PHP code in the email input in the login form.
In my case I use a basic PHP backdoor that execute command passed in a GET variable and encoded in base64.
Note, due to the fact it’s a POST request we have to bypass the addslashes function, that’s why I use $_GET[cmd] instead of $_GET[‘cmd’].
We are now able to execute arbitrary command on the system by calling the poisoned log file. For example:
Now, we will upload a reverse shell, change his permissions and execute the reverse shell, in order to have a remote access to the target system.
Note, you have to generate, via Metasploit or another platform, a reverse shell and to enable the Apache2 daemon.
Finally, we have our remote access.
I will not explain this following python script, but you only have to pass arguments to gain a reverse shell. You can find this script here, on my Github account.
Another backup.zip file can be found int the /var/www/ folder. If we unzip this file and if we display the contante of db.sql, we will find the original password of the g0rmint user.
The decrypted MD5 password is: tayyab123 Now we can log in the system via SSH.
The g0rmint user is a privileged user, so we can become root.