aqua: 1 walkthrough Vulnhub CTF

Aqua: 1 walkthrough Vulnhub CTF

Today we are Solving another Vulnhub CTF aqua: 1 is Created by yunaranyanca This CTF is hosted on Vulnhub Server You can download here

First Scanning our local network and finding our target IP

aqua: 1 walkthrough Vulnhub

Nmap aggressive port Scanning

aqua: 1 walkthrough Vulnhub

dirb scanning time we found may URL I used a filter .php and we see our output is filter .php extension

aqua: 1 walkthrough Vulnhub

When I open target IP our browser and we found this page.

When clicking the “Sure, I’ll help” button, we are redirected to another page which shows credentials.

dirb scanning time we found another URL login.php I open the URL and I see a login page, I try to log in this credential: vashivmegmin and we are successfully connected to it

aqua: 1 walkthrough Vulnhub

This URL is vulnerable to LFI(local file inclusion) we see the target system passwd file

I log in ftp but I see Connection timed massage I go to more deeply enumeration and I found Knocked Firewall implement this server

aqua: 1 walkthrough Vulnhub
Port knocking

Log in with FTP Again

  • username: megumin
  • password: watashiwamegumin

dir command to we see all file our current directory file and permissions

aqua: 1 writeup Vulnhub

Creating a msfvenom php reverse shell payload

After creating a payload again login with ftp same username and password we already see directory permission ( 757 mean root user full permission and other users same permission the only group read and execute file )

this time uploading our shell web directory

We see our shell is uploaded successfully now executing our shell through LFI ( Local File Inclusion ) vulnerability

aqua: 1 walkthrough Vulnhub

I already start our msfconsole and we shell I got a reverse shell target machine

  • set lhost
  • set lport 4545
  • run
aqua: 1 writeup Vulnhub

now I run shell command we see blank shell this time import bash shell through python module

The current user is www-data and has very limited permissions.

And ID command to we see our current user shell is www-data we have already megumin user password I run the su (Switch User) command megumin and user password again we shell our shell is changed www-data to megumin

aqua: 1 writeup Vulnhub

Let’s check with sudo -l sudoers file

We see a backdoor script sudoers file now I open the script cat command and we see an automatic natcat connection bash script I run the command with sudo and backdoor is opened

aqua: 1 writeup Vulnhub

Connecting to backdoor

again import python modules spawn a shell

I run the ID command and we see our last user is changed to aqua user I run again sudo -l command and I found may script but I try gdb privilege escalation

Privilege Escalation

GDB privilege escalation more about gdb see here

Reading our Last root flag

aqua: 1 writeup Vulnhub
Sar 1 vulnhub walkthrough read