Welcome to another segment in my Vulnhub series! Today I am focusing on the billu: b0x CTF game hosted on Vulnhub. The game description didn’t say much, just that it runs standard LAMPP and the mission is to gain ROOT access. Well, then – let’s get cracking!

Investigation

Finding Target and Services

Finding the Target:

sudo nmap -sn 192.168.110.0/24
>>> 192.168.110.24

Services:

$ sudo nmap -p1-65535 -A -T4 -sS 192.168.110.24

Only found port 80 and 22 open.

Attacking

Started looking at SSH, no banners or information in sight. Moving over to looking at the web server. Upon visiting I got presented with this landing page:

BilluB0x - web landing page
Web landing page

Clearly the landing page hints at SQLInjection. Toyed with the login form, but soon grew tired of it. Decided firing up dirb to make my day easier.

$ dirb http://192.168.110.24 /usr/share/wordlists/dirb/big.txt

Dirb managed to uncover some interesting paths. Amongst the findings it found the /test and /phpmy path – the latter one belonging to PHPMyAdmin. First, looking at /test I am presented with this message:

Billu - missing parameter
Missing parameter

Apparently /test works using HTTP POST. Firing up BurpSuite to toy further I discovered I was able to read /etc/passwd:

Billu - reading passwordlist
Reading /etc/passwd

Clearly, this is indeed a test script – a quite dangerous one too. Anyhow, knowing that I could read basically anything I turned my focus on PHPMyAdmin. Trying to read its configuration file:

Billu - reading phpmyadmin config
Reading PHPMyAdmin configuration

Tried to log in using username root:roottoor on /phpmy path. Access denied. Digging further through the main web folder I decided to read out index.php. It referenced a file called c.php and I read out that one too finding a new set of credentials (billu:b0x_billu). With these credentials I was able to log in to PHPMyAdmin.

That first credential set I found nagged me. A root user logging into the database? Seriously? Better test if it could be used on, say, the SSH service.

Billu - SSH Root
SSH ROOT

Hey look at that! It worked! I am ROOT. No flag in sight, though. Unsure if there are any.

Advertisements