Thursday 3 March 2016

BrokenWebapps - CTF writeup

When I was looking for a new CTF, I found interesting website with multiple CTFs ISO and VM images, prepared (vulnerable) to hack. I decided to try OWASP Project called BrokenWebapps (VM I’ve tried was OWASP_Broken_Web_Apps_VM_1.2).

I prepared the VM and started another one (this time with Kali2.0 – both on VirtualBox). As far as I know, we can treat this VM as a big WWW server, hosting multiple webpages.

After installation, we will run nmap(link) against this box to check what kind of ports/services are up on the remote host:

Looks interesting. Let’s see what’s there. We can assume that there will be some HTTP server(s). Default open ports can tell us, that “maybe some WWW content” can be found on ports: 80, 443, 8080, 8081 (later we will check the rest of open ports).

First of all, when we will check port 80, we will find website with “many vulnerable” webapps installed. Let’s check what we can find here: from training missions (like WebGoat or OWASP Mutillidae II) to more realistic and finally to some old webapps (CMS) installed:

Yes, yes, we can find few interesting spots here.
Case I: Old Wordpress
As a first shot I’ve tried old Wordpress:

As we can see on the screen above, there is an ‘update’ from 2011, that the author enabled 2 plugins: Spreadsheet v0.6 and MyGallery 1.2.1. Looking for some vulnerabilities for those 2 on Google, we can find that MyGallery is vulnerable to remote fileinclusion and the exploit is already available publicly as CVE-2007-2426:

We will try to exploit this Wordpress installation by exploiting RFI vulnerability. To do this, on our KaliBox we need to prepare a shell file (PHP in txt file). Our super-1337-webshell-code will be:

<?php system($_GET['x']);

So now we need to find the path to mygallery plugin. In my case it will be As an argument for myPath parameter, we will use our prepared shell in TXT file but before we need to set command to our “x” parameter.
Now we can run commands on remote host:

Let’s now prepare a small Bash script to run commands in a different way (more useful IMO;)):
As you can see we can use GET command in Bash, and now our command(s) can be run like this:

Good. What we need now is a stable shell. Let’s find out how we can connect back to our machine (I couldn’t reconnect to my host just by using netcat, so I decided to prepare another - PHP - code to do it. I found a way on a PentestMonkey Blog).
Now our reverse shell in PHP looks like this:
Let’s rename it to TXT and download (wget) it to remote (victims) host. Next we need to rename it back to PHP file and run:
Next thing is to prepare listening netcat on our box: (nc –lvvp 4444):
So… now we have a “stable” shell on remote box. It’s still www-data user but at this stage we can also do multiple other things, for example:

  • check for password(s) in config files for that CMS
  • check, maybe there is a dump from SQL (or backups, etc…)
  • root the box ;)

There are also other interesting ideas, but we will stay with the topic of this document.
So to finish this stage (“root via old CMS”), we now need to verify, what kind of machine it is (kernel version? OS name/version? etc…) As we already have a shell access, it will be much easier to do it:

As far as I remember, kernel version is not up to date, so maybe we can find some working exploit to get root. “Dan can you help me?” ;)
Yes, he can:

As you can see, now we have an exploit. When you already read the source, let’s find out if we can use it against BrokenWebapps box:


So, is it a game over? I don’t think so. We still have here multiple other webapps to check.

Case II: Old Joomla

I found that on the BrokenWebapps server there is also old Joomla installed. I tried to figureout, maybe (like for Wordpress) I will find something interesting (exploitable) for installed XClone component. Nothing special. So I tried to find if there is an admin panel (and we all know that for Joomla, default location of admin’s panel is “/administrator/”. I was wondering if I will be able to bruteforce the password, but I guessed it in a first time. Credentials are admin:admin.
So now, we’re logged-in in Joomla’s admin panel:

Cool. AFAIK, we can upload shell via “extension manager”. Let’s go to “Extensions” and next to “Template Model”. Next we can choose template to edit, let’s try ‘beez’. Now (on the right) we can see ‘Edit HTML’. So we’are again able to modify webpage. Let’s put there our super cool webshell:
Click Save 2 times, and we are ready to go:
As we know there is always another way… so for now, we can see that all steps will be similar to case with old Wordpress. You have already a shell on the victims box, so now it’s time to reverse shell and root the box! ;)
For this case – old Joomla – I could not do the same (fsocket()) reverse shell trick, but I found a nice php-reverse-shell on PentestMonkey Blog. Now we are able to setup “stable webshell” and root the box:

Case III: OWASP Bricks

Next application I tried to exploit to get root was “OWASP Bricks” available on When we will visit /owaspbricks/ link, we will see a page with an upload functionality. Because there is no filtering – we can upload normal PHP file contains our webshell code:

Now, we can see where is the file:

As the file is already there, let’s visit it and check if we can run commands on remote host:

…of course we can! ;)
So now, there is nothing new because you already know how you can root this BrokenWebapps server. Game over. ;)

If you will have any comments/questions/feedback, you can contact me directly (here or here).

Cheers o/  

No comments:

Post a Comment

What do You think...?