Index

TAMU CTF 2019 Writeups

  1. Pwn
    1. Pwn1
    2. Pwn2
    3. Pwn3
    4. Pwn4
    5. Pwn5
  2. Network/pentest
    1. Stop and listen
    2. Wordpress
    3. Calculator

Wordpress

Challenge Description:

I setup my own Wordpress site!
I love that there are so many plugins. My favorite is Revolution Slider. Even though it's a little old it doesn't show up on wpscan!
Please give it about 30 seconds after connecting for everything to setup correctly.
The flag is in /root/flag.txt
Difficulty: medium

Openvpn config file:


start with configuring the openvpn config file images/11-1.png

now use nmap to scan the network

images/11-2.png

so there is a ip 172.30.0.3 which has open ssh and http port and there is another ip 172.30.0.2 with open mysql service

looks like 172.30.0.3 is our webserver and otherone is database server

lets look at the site by typing 172.30.0.3 in browser

images/11-3.png


so it's a wordpress site. I use wpscan to scan but found nothing intresting(also while scanning with wpscan use timeout 30 sec ***).
Also there was a clue that they are using revslider as plugin in site..... googling about revslider exploit i found that there is file upload vulnerabiity in revslider.
Basically we can upload file in webserver by exploit that vulnerability... to demonstrate let fireup msfconsole and do following

before that write a simple php payload for proof of concept.payload I used was...
images/11-4.png

now for msfconsole stuff:
images/11-5.png

so by this we have successfully uploaded the payload..
let check it on real server

images/11-6.png

So good so far. Now my Target is to upload a php TcP_reverse payload which when run gives us a shell at port 1234(for example).
I got a shellcode.php in my tool list which i use for the purpose... i upload it as

images/11-7.png


Download the php-reverse-shell

now i have to just start a listener at port 1234 and hit my payload...before hiting payload

images/11-8.png


after hiting the payload.....


images/11-9.png

after some simple linux commands i found note.txt

images/11-10.png


So the ssh key is in dbserver at /backup/id_rsa and the db server is 172.30.0.2
Now we need some more things to workwith....
so i checked the wp-config.php file using cat command....guess what... i found database credentials.

images/11-11.png


so username for db is ‘wordpress’ ,host: 172.30.0.2, password: ‘0NYa6PBH52y86C'
I just connect with these values in db server.

images/11-12.png


So i have to read /backup/id_rsa in this server. As now i have full control over database, this is quite a simple task...
what i did was I created a ‘temp’ table with one coloumn in it. Then i load the content of /backup/id_rsa in that table. and see it using select query.....

in action
images/11-13.png

After select query

images/11-14.png

I store this in a file and save it as a id_rsa.... Now to have to use this key to connect through ssh as root user

images/11-15.png


Hence After login I got The flag....

Iy was a fun challenge ;-)
www.000webhost.com