Drunk Admin Web Hacking Challenge

Recently I conducted a few keynote talks on the WeBaCoo tool and some web backdoor shell implementation techniques. As a great supporter of practical learning, I designed a relative web hacking challenge that was given to the events attendees after the end of the talk part. The challenge focuses on techniques and methodologies discussed during the talks and implements a slightly restricted web server setup serving a vulnerable image hosting service.

 

Download

The challenge was served on a Debian vmware image which is available for download on the following link:

Download Challenge (539MB) – md5sum:edf9bcd28049ed85312510d5872ea463
Download mirror from boot2root

 

Configuration

The network is configured to obtain an IP address via DHCP by default. Although if you want to further configure the virtual machine you can login as user root and password toor. The apache web server is configured to run on port 8880.

 

Mission

The challenge includes an image hosting web service that has various design vulnerabilities. You must enumerate the various web service features and find an exploitable vulnerability in order to read system hidden files. The web application is 100% custom so do not try to search google for relative PoC exploit code.

FINAL GOAL: Reveal the hidden message for a date arrange that Bob sent to Alice.

 

Work Flow

  1. Enumerate carefully the web application
  2. If you get stuck repeat 1
  3. Try to spawn a web shell or find a way to execute server side code
  4. Read the hidden message

 

Appendix

Congratulations to “Kyriakos Ispoglou (CEID student)” who was the first one that solved 100% the challenge.

Available solution work flows (thanks for sending them):

Extra credits to mr.pr0n for providing a run2shell script exploiting the custom web application to spawn a remote shell with the vulnerable box.

 

If you find a different solving approach (with or without using WeBaCoo) or just solved the challenge and want to disclosure your solution contact me.

 

 

A. Bechtsoudis