haclabs: Deception walkthrough vulnhub ctf
Today We are solving another Vulnhub CTF hacklabs: deception is created by HacLabs This machine is designed by keeping in mind about all the beginners.
you can download here
Network Scanning
we found our target IP address through netdiscover, a simple ARP reconnaissance tool to find live hosts in a network.
netdiscover

Aggressive scanning with Nmap finding the open port and running services.
nmap -A 192.168.1.5

Enumeration
I open the victim IP address the browser we see the apache2 default web page
https://192.168.1.5

dirb is a web content scanner that was also used to brute force for any available files and directory on the website.
dirb https://192.168.1.5

we see dirb result WordPress I open the URL browser and we see the WordPress default themes is installed
https://192.168.1.5/wordpress

Since the website was made using WordPress wpscan, a WordPress Security Scanner was then used to try to find existing vulnerabilities on the website, ( -e u parameter find all user account )
wpscan --url https://192.168.1.5 -e u

our scanning is complete and I found two users yash and hacklabs
we see the target robots.txt allow URLs
https://192.168.1.5/wordpress/robots.txt

So we open this robots.html then we get a simple form with an input box and a submit button I Enter random text and we see new popup windows our text is reflected
https://192.168.1.5/wordpress/robots.html

I check the source code of the webpage then we see that after 15 clicks it redirect the user to a new webpage admindelete.html here we see a text message LOL, A Noob is looking for a hint

so, this means hint can be a webpage so I tried top open hint.html and we successfully I found one another page hint.html this hint file says that pleases collect all API tokens available on the home page
https://192.168.1.5/wordpress/hint.html

I move on the home page URL and I check the source code of the webpage and I found many API tokens
view-source:https://192.168.1.5

after collecting all the API and arranging them one line and all API token is look like this 5F4DCC3B5AA765D61D8327DEB882CF99
I tried all API token login username yash and password is founded all API key and I got yash user shell
ssh [email protected]
First Flag
ls
cat flag.txt

after enumerating some directory I see a hidden file .systemlogs
ls -lsa
we tried to read the content of this file using cat command. and I found something really helpful.
cat .systemlogs

( first is hacklabs ) and (second is A=123456789 ) (third is +A[::-1] )
I treat the second value as a variable and third is look like String Slicing the variable A and we found a value like this ( hacklabs987654321 )
changing the current user yash to hacklabs with su ( switch user command ) and try password hacklabs987654321 and our shell is changed successfully
su hacklabs
Second Flag
I move on haclabs home directory and we see our second flag
cd /home/hacklabs/
ls
cat flag2.txt
again upgrading our shell normal user to superuser root sudo su command with password hacklabs
sudo su

cd /root/ && ls
Final 3 Flag
cat deception

