Welcome to another segment in my Vulnhub series! Today I am focusing on the billu: b0x CTF game hosted on Vulnhub. The game description didn’t say much, just that it runs standard LAMPP and the mission is to gain ROOT access. Well, then – let’s get cracking!
Finding Target and Services
Finding the Target:
sudo nmap -sn 192.168.110.0/24 >>> 192.168.110.24
$ sudo nmap -p1-65535 -A -T4 -sS 192.168.110.24
Only found port 80 and 22 open.
Started looking at SSH, no banners or information in sight. Moving over to looking at the web server. Upon visiting I got presented with this landing page:
Clearly the landing page hints at SQLInjection. Toyed with the login form, but soon grew tired of it. Decided firing up dirb to make my day easier.
$ dirb http://192.168.110.24 /usr/share/wordlists/dirb/big.txt
Dirb managed to uncover some interesting paths. Amongst the findings it found the /test and /phpmy path – the latter one belonging to PHPMyAdmin. First, looking at /test I am presented with this message:
Apparently /test works using HTTP POST. Firing up BurpSuite to toy further I discovered I was able to read /etc/passwd:
Clearly, this is indeed a test script – a quite dangerous one too. Anyhow, knowing that I could read basically anything I turned my focus on PHPMyAdmin. Trying to read its configuration file:
Tried to log in using username root:roottoor on /phpmy path. Access denied. Digging further through the main web folder I decided to read out index.php. It referenced a file called c.php and I read out that one too finding a new set of credentials (billu:b0x_billu). With these credentials I was able to log in to PHPMyAdmin.
That first credential set I found nagged me. A root user logging into the database? Seriously? Better test if it could be used on, say, the SSH service.
Hey look at that! It worked! I am ROOT. No flag in sight, though. Unsure if there are any.