challenge of InfoSecWarrior CTF: 3 Walkthrough by Infosec Warrior CTF 2020. The box is designed by Vishal Biswas aka CyberKnight. The goal is to gain the highest privileges and collect only 2 flags (user flag and root flag). According to author box consist WordPress developer configured the machine to work internally. But due to some miss-configuration WordPress is exposed to the outside world. Use your skills and get the root flag.
Get Hesham Ahmed’s stories in your inbox
Join Medium for free to get updates from this writer.
you can download this challenge from: https://www.vulnhub.com/entry/infosecwarrior-ctf-2020-03,449/ or https://www.infosecwarrior.com/Finfosecwarrior-ctf-2020-3/
Tools:
At the beginning of the challenge I scanned the IP for open ports and I found: 80 as http , 22 as ssh
nmap -sS -sV -T4 192.168.56.107
-sS > for SYN scan
-sV > for version detection
-T4 > aggressive (4) speeds scans
Press enter or click to view image in full size
After seeing the content of the Web page on Port 80 , I brute-forced the dirs on this site using a tool dirsearch, The result was that I found a WordPress login page and a MySQL server login page:
dirsearch -u http://192.168.56.107/
Press enter or click to view image in full size
It is recommended to know the technology of any website, use the whatweb tool or use Wappalyzer extension for chrome or firefox.
To find out more details about the site, I used the wpscan tool, since the site is based on WordPress
Press enter or click to view image in full size
So I decided to access the phpMyAdmin login page on http://192.168.56.107/phpMyAdmin , With a little help from hacktricks I was able to use the login via the sql-login-bypass method with default credential root:root
Vulnerability Details: https://www.exploit-db.com/exploits/21726
Press enter or click to view image in full size
After accessing the server’s dashboard, I found the user’s password krishna as hash
Press enter or click to view image in full size
so i used JohnTheRipper to brute-force this hash via rockyou.txt , and the password was: infosec
Press enter or click to view image in full size
Then I connected to server via SSH with the credential of krishna user
Press enter or click to view image in full size
I ran the sudo -l command and I found Krishna has sudo permission to run a bash script as loopspell this script is compiler a #C language file using gcc using this command we privilege escalate this machine to get user’s flag.
Press enter or click to view image in full size
After get the first flag i decided to get root shell to get the last flag, so i ran sudo -l command again and i see sudoers filer entry /usr/bin/gcc and code_compiler.sh. using sudo I again run the privilege escalation command and we have a root shell target machine.
Press enter or click to view image in full size
that is it.
