Tiki CTF walkthrough

Overview:

Target Machine IP Address: 192.168.56.103
My Machine IP Address: 192.168.56.1

Mission:

Boot to Root

1. To get root flag
2. To get root access

Description:

"Oh no our webserver got compromised. The attacker used an 0day, so we dont know how he got into the admin panel. Investigate that.

This is an OSCP Prep Box, its based on a CVE I recently found. Its on the OSCP lab machines level."

Level: Easy/Medium 

Easy/Medium

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24

Target IP: 192.168.56.103

nmap -sC -sV -p- -Pn 192.168.56.103 -o nmap.log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 a3:d8:4a:89:a9:25:6d:07:c5:3d:76:28:06:ed:d1:c0 (RSA)
| 256 e7:b2:89:05:54:57:dc:02:f4:8c:3a:7c:55:8b:51:aa (ECDSA)
|_ 256 fd:77:07:2b:4a:16:3a:01:6b:e0:00:0c:0a:36:d8:2f (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_ Supported Methods: POST OPTIONS HEAD GET
| http-robots.txt: 1 disallowed entry 
|_/tiki/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: 5h29m58s
| nbstat: NetBIOS name: UBUNTU, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| UBUNTU<00> Flags: <unique><active>
| UBUNTU<03> Flags: <unique><active>
| UBUNTU<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>

1. HTTP (80/tcp)

http://192.168.56.103/tiki/tiki-index.php

gobuster dir -u http://192.168.56.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -o gobuster.log

dirsearch -u http://192.168.56.103 -e .html,.php,.txt,.php.bak,.bak,.zip -w /usr/share/wordlists/dirb/common.txt -f

I got tiki right from the robots.txt however, couldn’t figure out how to find the version of the tiki cms.  Therefore, I have to find other way based on the information I have (from the nmap result).

Since the target box is running smb, let’s enumerate it using enum4linux

enum4linux 192.168.56.103

smbclient //192.168.56.103/Notes

cat Mail.txt

Password of TikiCMS: 51lky571k1 

I struggle alittle  for the username as I was think a way to bruteforce it. All of sudden I remember that the box itself shows a username silky when we start the machine. When I tried that, it let me in 🙂

! Hi my Name is Silky,
This is my third CTF. Dont give up, there is always a way to __root__!

I like Cats, Frogs, Snakes and cute Doggos but thats not helpful isnt it?
Hmmm maybe you like something different, ... You like Hacking right? 
I got a new CVE Number: But I constantly forget its ID :/

When I see this message (specially the bold one), I tried every way possible to know the version of the Tiki running on our target machine. Nevertheless, it took me more than two days lol (I mean the leisure time). Guess what? I even asked in a telegram group. But no luck.

Therefore, I tried my Jungle Knowledge

The last modification date is 2020 July 30, so when I need to find an exploit which has CVE number around at year and time. (Pure guessing out of desparation)

I checked both the exploit and it is same. So I didn’t bother much but directly visited the exploit-db.

You can copy the exploit as per your preference 🙂

You can run the exploit using

python3 48927.py 192.168.56.103

Based on the output, we need to fire the burpsuite.

i) Burp is ready and then I tried to login with username admin and a fake password badman.

 

ii) Then I erased the password value and forward the request and I was able to login with admin privilege.

 

 

You might see sam, actually sam is not there. I tried to upload a php-reverse-shell, thought to get a reverse connection but was not successful lol

Then the credential page caught my eyes. and it has indeed hidden gems in it 🙂

We know SSH protocol is running and got the following credentials.

username and password

silky:Agy8Y7SPJNXQzqA

 

flag:88d8120f434c3b4221937a8cd0668588

That’s all guys… It is my habbit to  pray before I retire to bed and I think right now is the perfect time to do so 🙂  By the way, I pray for all the sentient beings which includes you, and I wish you happiness   🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed

Menu