PwnTillDawn Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun! The goal is simple, break into as many machines as possible using a succession of weaknesses and vulnerabilities and collect flags to prove the successful exploitation. Each target machine that can be compromised contains at least one “FLAG” (most of the times a file and typically located in the user’s Desktop, or the user’s root directory), which you must retrieve, and submit in the application. The flag is in the majority of the cases in a SHA1 format but not always.
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/PTD/10.150.150.224] └─$ cat nmap.nmap # Nmap 7.91 scan initiated Thu Jun 10 07:34:33 2021 as: nmap -sC -sV -oA nmap 10.150.150.224 Nmap scan report for 10.150.150.224 Host is up (0.16s latency). Not shown: 999 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Debian Default Page: It works Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Jun 10 07:35:12 2021 -- 1 IP address (1 host up) scanned in 39.56 seconds
We are having only one port which is HTTP 80, nice seems we are bursting directory with gobuster.
gobuster dir -u http://10.150.150.224 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html checking the directory below.
┌──(muzec㉿Muzec-Security)-[~/Documents/PTD/10.150.150.224] └─$ gobuster dir -u http://10.150.150.224 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.150.150.224 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: txt,php,html [+] Timeout: 10s =============================================================== 2021/06/12 02:38:01 Starting gobuster in directory enumeration de =============================================================== /index.html (Status: 200) [Size: 10701] /login.php (Status: 200) [Size: 1213]
Now let try and access ` http://10.150.150.224/login.php ` to check what login page we have maybe it need brute forcing just guessing lol.
We have the login page requesting for a Pin also and a link to download an APP so i decided to download the APP let try and check what the APP is all about.
Decompile The APK
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
How To Install .
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF ./setup.sh
This command will install all the required dependencies to run Mobile Security Framework. Now to run it After the installation complete we can use this tool by using run.sh command. As we previously told that this is a web based tool so we need to run it on our localhost server. To run it on our localhost with port 9999 (we can use any other port) by using following command:
Now let access it on our browser
Now let upload the APK file to analyze it.
Going through it and i was able to get FLAG43.
Time to get the PIN i actually spend some time here lot of trial and error before getting it but i did lol screenshot of PIN below.
Now let try using the PIN on the LOGIN page.
Boom we are in and having all the FLAGS but one is encoded now let try decoding it to finish the machine.
Took sometime but i was able to decode it and we are done.
PWNTILLDAWN LABS IS THE BEST WHY NOT TRY IT: Juno On PwnTillDawn Click Here
Greeting From Muzec