damo.clanteam.com Security Challenge I [writeup]

hey fellas been a while since last post . anyway I saw this security challenge post on twitter thought of giving a shot . so this is the write-up post for the first challenge . its pretty easy actually .

the challenge is to login to admin area which is protected with .htpasswd .When we entered in to challenge there is a link to see people who completed the challenge . the first thing I noticed is the page URL which had index.php?page=halloffame . So my guess was either LFI or  SQLi . with a simple single quote I was able to identify the vulnerability is LFI because the error contented  

Warning: include(halloffame'.php)

also sine .php is added my index.php I guessed the code is something like

<?php
include($_GET['page'].".php");
?>

since there is a .php included in the end therefor I used null to comment it out . also since our target to get htpasswd file, I tried the first attempt with page=admin/.htpasswd% but it returned with no file . so my second guess was page=admin/.htaccess%00

c1-01

and it returned with

AuthType Basic AuthName "Restricted Access!" AuthUserFile /www/clanteam.com/d/a/m/damo/htdocs/hiddenfoldersch1/.htpasswd Require user damo

so now we know the path for .htpasswd file . so my next obvious step is to grab the .htpasswd file

C1-S2

since the password was encrypt I used john to crack the password

john --wordlist=/usr/share/wordlist/rockyou.txt htpasswd

and after the brute is sucessfull I got the password as

c1-s3

alright . see you soon guys

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s