JIS-CTF_VulnUpload target drone strategy


Vulnhub is one of my favorite playgrounds. Each drone above is a cool game. It is only the basic task to find out all the flags completely, and the ultimate goal is to achieve the elevation of power. I do not pursue the fastest capture of the flag, but try to use a complete attack chain to invade the drone. Therefore, in this strategy, some of the content may not directly help capture the flag, but you should consider it when dealing with real targets.

The drone “JIS-CTF: VulnUpload” contains 5 flags, elementary difficulty, and takes an average of 1.5 hours to complete the attack. You can get the virtualbox format image from https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/, and you can play it immediately after importing:

The JIS virtual machine is DHCP. I have to find out its IP. The -sn option of nmap is used to detect host viability:

Soon, 4 surviving IPs were found. Among them, 56.1 is my main system IP, 56.2 is the DHCP server, and 56.5 shows that localhost-response is the local machine (kali), so the IP of JIS is

1. System service discovery
The first priority for getting IP is analysis service. The two command line parameters -O and -sV of nmap can be used for this:

It can be seen that JIS has enabled SSH (OpenSSH 7.2p2) on port 22 and HTTP (Apache httpd 2.4.18) on port 80. In addition, the operating system is ubuntu. These three pieces of information will become the main attack surface in the next stage.

2. System vulnerability analysis
For the SSH service, I am used to attacking from both weak passwords and system vulnerabilities. In terms of weak passwords, I use common usernames and common passwords to brute force, although the probability is not high:

You can’t finish running in a short time, so let’s put it here first and watch later.

I recommend searchsploit for system vulnerabilities of SSH service. Refine search OpenSSH 7.2p2:

There is a user name enumerable vulnerability. If you can find a valid username, it will help to brute force the SSH password. Try it now with EXP:

I tried several times, but the results were different. I feel that this EXP is unreliable. Perhaps the search criteria are too harsh, without the version number, directly search openssh to see if there are other vulnerabilities:

Among them, there are two vulnerabilities that can be considered, in turn are the vulnerability of local privilege escalation and the vulnerability of remote command execution. Unfortunately, none of them can be used. For local privilege escalation vulnerabilities, since there are no sites (such as webshell) currently used, privilege escalation operations are not discussed; for remote command execution vulnerabilities, the conditions for exploitation are very strict, and the attacker must obtain the forwarded agent- Control of the socket, and the target must use SSH to log in to the machine where the attacker controls the forwarded agent-socket, so that the target can load the specified *.so for remote command execution. So SSH system vulnerabilities will not be understood in depth for now.

Let’s see if there are any exploitable vulnerabilities in the apache service:

The exact version found in the previous service detection was apache httpd 2.4.18, so there is only one vulnerability: the vulnerability of memory leaks, which is of little value.

At this stage, system vulnerabilities can only be analyzed to this level. Although I know that the distribution kit is ubuntu, but I don’t know the specific version and system architecture, it is difficult to accurately find the available operating system vulnerabilities. Therefore, there is no need to continue to spend time at the system vulnerability level. If you can get a webshell in the future, let’s analyze it in depth when you raise your rights. Now move to the web application level.

3. Web content discovery
The web port found before access is automatically redirected to

Looking at the html source code, there is not much valuable information; it is not possible to enumerate user names; perhaps it is possible to break weak passwords. The SSH break is not over yet, so let’s put it aside for web login break and see other page.

Before 2015, scanning the web port-looking for the web background-logging on to the background with a weak password-uploading a one-sentence Trojan horse is a common attack technique with a high success rate. Among them, whether the background address can be found is the key to success. In other words, I need to discover more web content. Specifically, I hope to find more files, pages, and subdirectories. It is best to find sensitive files packaged with source code, management pages for background operation and maintenance, and subdirectories for storing business logic to expand the attack point. Usually, I am used to combining enumeration and crawling to discover web content.

There are many tools for enumerating web content. In fact, your burp has a powerful subdirectory enumeration function built in, but you often overlook it. After visiting and letting the traffic flow through burp, the initial site directory structure is immediately displayed:

Through engagement tools-discover content, enable the subdirectory enumeration function:

Before enumeration, use the firefox plug-in wappalyzer to confirm that the backend language is php:

Simply set it up and let burp only enumerate php-type pages and ignore other languages such as aspx, jsp, etc. to improve efficiency:

Soon, many new pages were enumerated:

You see, there are more pages and directories than before, such as logout.php, server-status/. Check them one by one, there is not much valuable content.

Next, I used another tool dirsearch to enumerate the subdirectories again. Efficient and configurable are the characteristics of dirsearch. Similarly, use the –extension option to set only php-type pages to be enumerated, ignoring other languages such as aspx, jsp, etc.:

From the output result out.txt, there are 5 pages with successful HTTP response (200):

Visit these pages in turn and let the traffic go through burp. The site directory structure is as follows:

The enumeration of subdirectories is about this level. Next, crawl the site.

The crawling site still uses burp:

Soon, the crawling was completed, and many new pages were added:

Search for the flag keyword in the burp site map, and the first match is

I got the first flag {7412574125871236547895214}; I also got a set of accounts admin/3v1l_H@ck3r, which may be web login accounts or SSH accounts. Try it later. The second match obtained by searching for flag is

Get the second flag {8734509128730458630012095}.

Four, web application vulnerability analysis

Try to log in to with admin/3v1l_H@ck3r:

Success, there is a file upload function, check whether there are any file upload vulnerabilities.

Just upload a php webshell to try:

The icesword.php upload is successful, there is any file upload vulnerability, but the upload directory is not echoed. Remember the uploads/ and uploaded_files/ two directories found when searching for web content, try to access, and an error is reported, the resource does not exist, visit uploaded_files/icesword.php, no error is reported, but the page has no content, it’s okay, at least it is clear that the upload directory is uploaded_files/.

I use msfvenom to generate MSF’s PHP rebound Trojan msf_private.php:

Start MSF and listen, and then visit to get a meterpreter session immediately:

Take a brief look at the file:

flag.txt, hint.txt caught my attention. Check it, flag.txt has no access rights; get the third flag {7645110034526579012345670} in hint.txt and a prompt message. If you want to check flag.txt, you must first find out the password of the account technawi:

Next, I need to find the password of the user technawi. I plan to search for technawi-related information from both the file name and file content.

I use meterpreter’s built-in search command to find files with the keyword technawi in the file name:

Show not found. Strange, if there are technawi users, there must be /home/technawi/, how can I not find one. Enter the shell and confirm again:

That’s right. So, you see, the search built into meterpreter is not reliable. Checked them one by one and found no valuable content.

Find the file with the keyword technawi in the file content:

Check one by one, and find the fourth flag {7845658974123568974185412} in /etc/mysql/conf.d/credentials.txt and a set of accounts technawi/3vilH@ksor:

5. Log in to the system

Log in to the system successfully with the account technawi/3vilH@ksor:

Check the flag.txt again and get the fifth flag {5473215946785213456975249}:

6, right escalation

I said at the beginning that flag is not the only goal for me to play drones, and it is also very interesting to raise the authority. Just to check the kernel version and prepare the corresponding exp, I dimly remember to read the .sudo_as_admin_successful file in the home/ directory of technawi:

Wow, good luck, this shows that technawi can switch to root user with his own password:

In this way, all flag collections are completed, and the rights are successfully raised!


There are no reviews yet.

Be the first to review “JIS-CTF_VulnUpload target drone strategy”

Your email address will not be published. Required fields are marked *