The VM for the CTF challenge is located at https://www.vulnhub.com/entry/imf-1,162/

Description:

IMF is a intelligence agency that you must hack to get all flags and ultimately root. The flags start off easy and get harder as you progress. Each flag contains a hint to the next flag. I hope you enjoy this VM and learn something.

Difficulty:

Beginner/Moderate

I started off with an nmap scan for to get a lay of open ports:

nmap -p 1-65535 -T4 -A -v 192.168.1.38

Nothing too interesting, except port 80/tcp open.

On the “Contact Us” page we’re able to see a couple employee emails:

Roger S. Michaels – Director
rmichaels@imf.local

Alexander B. Keith – Deputy Director
akeith@imf.local

Elizabeth R. Stone – Chief of Staff
estone@imf.local

We find the first flag in the source of the contact.php page:

<!– flag1{YWxsdGhlZmlsZXM=} –>

Decoding the string, we get the contents of flag1:
echo YWxsdGhlZmlsZXM= | base64 --decode

Flag1: allthefiles

Using Flag1 as a reference to Flag2, I start looking at all the files from source, and a particular bunch catch my eye, which also look like Base64.

“js/ZmxhZzJ7YVcxbVl.js”
“js/XUnRhVzVwYzNS.js”
“js/eVlYUnZjZz09fQ==.min.js”

Appending the strings together, and decoding:
echo ZmxhZzJ7YVcxbVlXUnRhVzVwYzNSeVlYUnZjZz09fQ== | base64 --decode

Which reveals Flag2:

flag2{aW1mYWRtaW5pc3RyYXRvcg==}

Flag2: imfadministrator

Browsing to http://192.168.1.38/imfadministrator/ bring us to a login console:

Since source seems to be a common theme for this CTF, I check source, and see a nice comment:

Admittedly after trying many brute-force combinations for all of the local emails (with and without the domain), I took a hint on this flag. You don’t know what you don’t know, but I learned something new. Apparently in the PHP strcmp function, it will  Returns < 0 if str1 is less than str2; > 0 if str1 is greater than str2, and 0 if they are equal. https://secure.php.net/manual/en/function.strcmp.php
Furthermore, attempting to compare a string to an array will return NULL, and in this case will allow a login bypass, and spit out the flag.

So, using burp and changing the POST data for the password field from

to

Shoutout to reedphish for their write-up on this flag, and helping me learn something new (https://reedphish.wordpress.com/2016/11/20/imf-walkthrough/)

Flag3: continueTOcms

As the flag suggests, I click on the IMF CMS link and continue to CMS.

By the looks of the URL structure, my first inclination would be for a possible SQL injection:

Since this is post-auth, I will use sqlmap with my new cookie, and attempt to enumerate the databases:
sudo sqlmap -u 'http://192.168.1.38/imfadministrator/cms.php?pagename=home' --cookie 'PHPSESSID=je70kk8bmq1fb8n6kh8oger6k5' --dbs

This confirms my suspicions of injection as a vector, and shows the available databases:

Since the admin database is the most interesting looking, we will dump it with the following command:
sudo sqlmap -u 'http://192.168.1.38/imfadministrator/cms.php?pagename=home' --cookie 'PHPSESSID=je70kk8bmq1fb8n6kh8oger6k5' --dbs --dump admin

This produces a new image we haven’t seen before:

Scanning the QR code, reveals flag4{dXBsb2Fkcjk0Mi5waHA=}
Flag4: uploadr942.php

Browsing to our new upload page, we’re presented with an option to upload a file:

My first theory is to upload a php webshell, but attempting to upload php, exe, and txt files, results in “Error: Invalid file type”. After trying many different file types, I was able to upload image files. My initial thoughts next brought me to find a way to insert a php cmd shell in the image, as I learned how to do this by tainting log files in OSCP. This is where I started falling flat and getting stuck, so I got a little push from another write-up. Kudos to the first person to figure this out, although you can upload any image type, you’re only able to use the php cmd shell with gif’s. So I inserted the php cmd shell in the .gif file, and uploaded it.

An interesting note, if you inspect the element after a successful upload, there is a unique hash in the comments.

In other write-ups they were able to deduce that the image is uploaded to /imfadministrator/uploads/HASH.extension

So if I navigate to:

http://192.168.1.38/imfadministrator/uploads/1ef7eeabeb61.gif

I can see the header of the gif file. And more importantly can send commands to the shell, for example:

Will give me a directory listing. And I can cat out the flag in this directory:
http://192.168.1.38/imfadministrator/uploads/1ef7eeabeb61.gif?cmd=cat%20flag5_abc123def.txt


Flag5: agentservices

***TO BE CONTINUED FOR FLAG 6***