Vulnhub: JIS-CTF VulnUpload Write-Up

This is a writeup of JIS-CTF: VulnUpload VM from Vulnhub.

Challenge: There are five flags on this machine. Try to find them. It takes 1.5 hour on average to find all flags.

Difficulty: Beginner

Date release: 8, Mar, 2018

Author: Mohammad Khreesha

Write-Up

Getting IP address:

I was able to run this on vmware even though it says on the page only working with virtualbox.

I configured the VMs (attacker and target) in host-only network, my host-only network has the IP: 192.168.199.0.

On running nmap:

I found the IP to be 192.168.199.131, this is the result on a browser:

Information Gathering:

I decided to run nikto and see what useful information I would get:

It found several directories and also a robots.txt file.

After loading the robots.txt file, I saw one of the directories listed is flag.

After checking it out. Boom! Our 1st flag!!

I did some exploring on the other directories listed on robots.txt file but most displayed nothing except the /admin_area :

The page just displayed “The admin area not work :)” but on inspecting the page we find our 2nd flag!! commented out. There is also some login credentials.

I tried login with those credentials and got a successful login:

Exploitation:

For exploitation I decided to try uploading a php-reverse-shell file which can already be found in kali, I copied mine to desktop and renamed it to exploit.php:

I edited ip to my attacker’s ip and port to port I want to listen on.

I then opened a netcat listening session on port 4444:

Uploading the file didn’t give any errors so it was successfully uploaded. I ran it by changing the url to /uploaded_files/exploit.php and going back to the netcat session we get a reverse-shell :

After looking around, I went to the webserver directory /var/www/html and found flag.txt file but didn’t have permission to read it.

But, there is a hint.txt file, on checking it I get the 3rd flag!! :

The hint there made me spend a while on there but after googling and read another writeup, it turns out the file is hidden in a secret location not hidden in a linux sense that it’s not visible.

I decided to find files that belong to user technawi and have readable content :

After searching I get the credentials.txt and there’s the 4th flag!!.

I used the password and switched user to technawi so that I can read the flag.txt file:

At first try the su (switch user) did not work as it needed to be run from a terminal, so using that python command I spawn a shell. However, this VM only had python3 installed so I had to use python3 to run the command. After changing user to technawi the flag.txt has our 5th flag!! which is also the last flag.

After thoughts:

It was a simple CTF challenge even for me as a beginner, even though I didn’t immediately understand the hint and had to look for help from another writeup.

I will definitely be doing more challenges like this and write about them.

--

--

--

CyberSecurity | CTFs | https://blog.ikuamike.io

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Web Scraping in PHP, Part 1

Are your business processes automated? Are they even written down?

Road of change: QA Manual to Automation path

Overview on Database Components

Identifying Functionality in Scripts

IFCTT — If Copy Then That, a realization of the This in IFTTT(If This Then That)

Digital Experience Monitoring (Recast)

Making debugger in Golang (part II)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Ikua

Michael Ikua

CyberSecurity | CTFs | https://blog.ikuamike.io

More from Medium

Pandora — HTB Walkthrough

Intigriti -1337up CTF — Warmup Encoder writeup

THM Pickle Rick writeup

Paper - HackTheBox [Writeup]