Safetech Blog - Security Tips and Tricks

by Oana Stoian

Billu-b0x Write-up

This write-up is for Billu-b0x CTF machine hosted on Vulnhub,188/ This is one of those challenges focused on real-world technical vulnerabilities and this is why I like it.

In my setup, the machine is using IP address and I started with a nmap scan:

nmapRunning nikto on the web server will get us the following information:




Not very much useful info, so we continue to do a bruteforce for directories using dirb with some common dictionaries, and we get interesting results with:



So we have some new things to play with… a phpmyadmin instance and other files, like which is returning us a “promising” error message:



A “file” parameter… a “file path” … hmmm this could get us to a LFI. Couple minutes later after some tries, we have a nice working LFI:

This LFI wont get us to a code execution (yet), but at least we can learn important things about  the system, we can read the web application’s code and find sensitive data.

Reading through PHP files code, in c.php we discover the credentials for the mysql database:

We use these credentials to connect to phpmyadmin application. In the database, we discover the credentials to the main web application:



Now that we have access to the web application we start investigating it for new vulnerabilities…there is an upload form but after some tries and errors we look at  the code through the LFI and realize that this won’t get us to command execution. Being stuck for a while we start reading the code of the application’s files and we  get another LFI in panel.php. Now things can go to the “right” direction…we have an upload form which is allowing us to upload image files and we have a “good” LFI – you know, the kind that includes your files content into a PHP code file. We upload our crafted image file which has php code injected into it and run the code through the LFI:




Time to have a shell, righ? Well..not that fast, but anyway here it  is:




Having the shell we start enumerating the machine, running Linenum ( ) is always a good ideea. After short time we realize that this machine has very few services, no juicy data home folders…no permission issues, so kernel exploitation could be the fastest way to root. We grab an exploit for and bingo! I am (g)root! 🙂



This was a nice vulnerable machine, good example of web exploitation and chaining exploits together. Thanks to the author @indishell1046 and of course thanks to our friends from @vulnhub !

2,262 total views, 1 views today

Leave a Reply

Your email address will not be published. Required fields are marked *