2020 Metasploit Community CTF Write-up

Metasploit Community CTF

The SETUID Ace of Clubs (port 9009)

Our prize awaits with root privileges
Bash-based redirection
Bash reverse shell — but only as our user. :(
Correct User/Pass… overwritten flag. Time to revert!
Ghidra reversed it straight to source code. Beautiful.
Overwriting /etc/passwd
Confirmed root privileges
FTW

SpyHunter — Eight of Diamonds (port 5555)

Rapid prototyping made easy
drive.py test run
Ready to Drive
Watching it move!

Password Functions — 4 of Clubs

The Challenge
Guessing a hash
Finally

Game Review — 2 of Spades

Ah, this is SQLite
Enumerate column numbers and output location

Moose Gallery — 6 of Diamonds

Don’t mind if I do!
Moose!
  1. Send a web shell like<?php system( $_GET['cmd']); ?> as content of the uploaded file, and name the file something.jpg.php. This double-extension filename often gets by basic filename filtering as it sees the first ., and ignores the second extension. If successful, and the site isn’t looking at file content it would give us a shell we could do any thing with through requests to the page such as/page.php?cmd=ls ← obviously what we want to happen here! No joy.
  2. The next level is to use a simple GIF image header GIF89a1 in front of your php shell payload, but that didn’t work either.
  3. Exif content fields in jpg images are known to work as well. Let’s go that route.
That directory looks interesting
There’s our flag!

Black Joker — I Hate Salt Password Cracking

Subdomain Brute-Force — 9 of Diamonds

Answer Guessing — 3 of Spades

--

--

--

Offensive cyber security and threat researcher

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to download a file from a link using python

Shifting gears towards OpenShift

How I saved 8 Hours, Automating my Gov Appointment Hunt Using Python + Selenium

Dega challenge | cybetalents | digital Forensics

Kubernetes Installers for Cloud and Bare Metal

Large Teams vs Dynamic Duos — A Tale of Micro Services

2022 DeployGate Update Announcement

Native Mobile Apps are the New Flash

Get the Medium app

Steve Walker

Steve Walker

Offensive cyber security and threat researcher

More from Medium

THM Pickle Rick writeup

Network Services (Telnet) — Tryhackme

Red Team Recon — TryHackMe Writeup

Overpass 2 — Hacked TryHackMe Write-Up