aqua: 1 walkthrough Vulnhub CTF

Aqua: 1 walkthrough Vulnhub CTF

Today we are Solving another Vulnhub CTF aqua: 1 is Created by yunaranyanca This CTF is hosted on Vulnhub Server You can download here

First Scanning our local network and finding our target IP

aqua: 1 walkthrough Vulnhub

Nmap aggressive port Scanning

aqua: 1 walkthrough Vulnhub
Enumeration

dirb scanning time we found may URL I used a filter .php and we see our output is filter .php extension

aqua: 1 walkthrough Vulnhub

When I open target IP our browser and we found this page.

http://192.168.1.14

When clicking the “Sure, I’ll help” button, we are redirected to another page which shows credentials.

dirb scanning time we found another URL login.php I open the URL and I see a login page, I try to log in this credential: vashivmegmin and we are successfully connected to it

aqua: 1 walkthrough Vulnhub

This URL is vulnerable to LFI(local file inclusion) we see the target system passwd file

I log in ftp but I see Connection timed massage I go to more deeply enumeration and I found Knocked Firewall implement this server

aqua: 1 walkthrough Vulnhub
Port knocking

Log in with FTP Again

  • username: megumin
  • password: watashiwamegumin

dir command to we see all file our current directory file and permissions

aqua: 1 writeup Vulnhub

Creating a msfvenom php reverse shell payload

After creating a payload again login with ftp same username and password we already see directory permission ( 757 mean root user full permission and other users same permission the only group read and execute file )

this time uploading our shell web directory

We see our shell is uploaded successfully now executing our shell through LFI ( Local File Inclusion ) vulnerability

aqua: 1 walkthrough Vulnhub

I already start our msfconsole and we shell I got a reverse shell target machine

  • set lhost 192.168.1.8
  • set lport 4545
  • run
aqua: 1 writeup Vulnhub

now I run shell command we see blank shell this time import bash shell through python module

The current user is www-data and has very limited permissions.

And ID command to we see our current user shell is www-data we have already megumin user password I run the su (Switch User) command megumin and user password again we shell our shell is changed www-data to megumin

aqua: 1 writeup Vulnhub

Let’s check with sudo -l sudoers file

We see a backdoor script sudoers file now I open the script cat command and we see an automatic natcat connection bash script I run the command with sudo and backdoor is opened

aqua: 1 writeup Vulnhub

Connecting to backdoor

again import python modules spawn a shell

I run the ID command and we see our last user is changed to aqua user I run again sudo -l command and I found may script but I try gdb privilege escalation

Privilege Escalation

GDB privilege escalation more about gdb see here

Reading our Last root flag

aqua: 1 writeup Vulnhub
Sar 1 vulnhub walkthrough read