BlackMarket: 1

[ vulnhub  ctf  walkthrough  ]

Goal

Find 6 flags & 1 root flag

Download

https://www.vulnhub.com/entry/blackmarket-1,223/

Walkthrough

nmap
alt text

default 80
alt text

flag 1 - default 80 source
alt text

flag 1 txt, doesn’t give much clue except jason bourne
alt text

no sqli or wfuzz brute
alt text

google failed login message
alt text

found git repo with default creds
alt text

login as supplier
alt text

sqli using sqlmap on add product
alt text
alt text

flag 3
alt text

sqlmap provides hashes for blackmarket
alt text

admin md5 hash
alt text

admin login success, flag 4, and possible hint
alt text

flag 4 txt, guess no need to spend more time on this webapp
alt text

dirb finds squirrelmail
alt text

guessed that ????? was a hint as jbourne email password from previous flag4 pop-up
alt text

jbourne email access
alt text
alt text

flag 5 and secret msg
alt text

flag 5 txt, duh
alt text

found how to decode guessing at first two words as ‘Hi Dimitri’
decoded letters were opposite alphabet letters from middle out
alt text

added all possible key words to common wordlist, but nothing was found
alt text

since things have been misspelled and we’re looking for a ‘workshop’, added rule to john to append a-zA-Z0-9 to front and back of the word workshop, and then created a new wordlist
alt text
alt text

running dirb with new wordlist proves successful
alt text

vworkshop shows another cms
alt text

were looking for kgbbackdoor though and it’s there, sorta
alt text

dirb using different extensions proves successful, first .txt and then .php
alt text
alt text

flag 6 found and were moving off of webapps
alt text
alt text

backdoor is there, just not working…yet
alt text
alt text

remember we need PassPass.jpg to make it work and the image was there
alt text

downloading the image and throwing it at strings yields a pass
alt text

then decimal to hex and hex to ascii
alt text
alt text

using found password, we have our backdoor
alt text

me need shell to work
alt text

interesting finds under home
alt text

nicky reveals flag 2
alt text
alt text

flag 2 reveals nothing important
alt text

dimitri has a secret
alt text

using technique from netsec to spawn a tty shell, root access gained using su and an alternate spelling of dimitri’s secret
alt text

root flag
alt text

Written on June 24, 2018
Share on: