CK: 00 Vulnhub Walkthrough

CK: 00 Vulnhub Walkthrough | CK: 00 Vulnhub Writeup

In this article, we will see a walkthrough of an interesting Vulnhub machine called CK: 00. This VM machine is made by Vishal Biswas hosted on Vulnhub You can download here


Goal: Your goal will be to get the highest privileged user and collect the flag

Network Scanning

First, we run netdiscover find our target IP

In my case, my target Ip is our next step is performing Nmap Aggressive scan

I open the target IP browser and we see an error so I copy the VM IP and create a virtual host CK /etc/hosts file

Again refresh the page and we see the WordPress default templet

try common password login WordPress And I successfully login with administrator account using this username admin and password admin

We have WordPress login username and password without wasting our time I ran msfconsole and load an exploit wp_admin_shell_upload

I ran the shell command for shell command environment and we see a blank shell let’s importing python3 spawn shell using this command

We found our flag user CK home directory

I move on apache server public directory here we see WordPress wp-config.php I read the file and we see target database username and password

Privilege Escalation

I try MySQL database password for every user we successful login with bla user using a database password

Privilege Escalation scp

We have a user bla password so I ran the sudo -l command and we see our current user run SCP command without user bla1 password

I already generate an ssh key our local machine using this command ssh-keygen I upload our ssh public authorized_keys user bla1 /home/.ssh/authorized_keys directory using this command

We see the terminal our key is upload successfully I exit our shell and connect to ssh user bla1 without password

Privilege Escalation rbash

again run the sudo -l command and we see the user CK-00 is run /bin/rbash command without asking password CK-00

After executing the rabash command our many commands are restricted many ways to escape restricted shells, I ran the sh command and bash command I bypass the restricted shell

Privilege Escalation dd

again run the sudo -l command and finally, we see our user CK-oo is run the dd command without asking root password

I generate an md5 salted password our new user Rahul

using the cat command to we see /etc/passwd file and copy file text and create a new passwd file CK /home directory using cat >> append method to paste our passwd

I already create a passwd file using CK user home directory and over next step is overwrite the /etc/passwd file with our new passwd file using this command

our new user Rahul and password is pasted successfully/etc/passwd file we confirm the username password entry passwd file using tail command

Root Flag
Vulnuni 1-0-1 Vulnhub Walkthrough link
Exit mobile version