haclabs: Deception walkthrough vulnhub

haclabs: Deception walkthrough vulnhub ctf

Today We are solving another Vulnhub CTF hacklabs: deception is created by HacLabs This machine is designed by keeping in mind about all the beginners.

you can download here

Network Scanning

we found our target IP address through netdiscover, a simple ARP reconnaissance tool to find live hosts in a network.

 haclabs: Deception walkthrough vulnhub

Aggressive scanning with Nmap finding the open port and running services.

 haclabs: Deception walkthrough vulnhub


I open the victim IP address the browser we see the apache2 default web page

dirb is a web content scanner that was also used to brute force for any available files and directory on the website.

 haclabs: Deception walkthrough vulnhub

we see dirb result WordPress I open the URL browser and we see the WordPress default themes is installed

 haclabs: Deception walkthrough vulnhub

Since the website was made using WordPress wpscan, a WordPress Security Scanner was then used to try to find existing vulnerabilities on the website, ( -e u parameter find all user account )

 haclabs: Deception walkthrough vulnhub

our scanning is complete and I found two users yash and hacklabs

we see the target robots.txt allow URLs

So we open this robots.html then we get a simple form with an input box and a submit button I Enter random text and we see new popup windows our text is reflected

 haclabs: Deception walkthrough vulnhub

I check the source code of the webpage then we see that after 15 clicks it redirect the user to a new webpage admindelete.html here we see a text message LOL, A Noob is looking for a hint

so, this means hint can be a webpage so I tried top open hint.html and we successfully I found one another page hint.html this hint file says that pleases collect all API tokens available on the home page

I move on the home page URL and I check the source code of the webpage and I found many API tokens

 haclabs: Deception walkthrough vulnhub

after collecting all the API and arranging them one line and all API token is look like this 5F4DCC3B5AA765D61D8327DEB882CF99

I tried all API token login username yash and password is founded all API key and I got yash user shell

First Flag
 haclabs: Deception walkthrough vulnhub

after enumerating some directory I see a hidden file .systemlogs

we tried to read the content of this file using cat command. and I found something really helpful.

 haclabs: Deception walkthrough vulnhub

( first is hacklabs ) and (second is A=123456789 ) (third is +A[::-1] )

I treat the second value as a variable and third is look like String Slicing the variable A and we found a value like this ( hacklabs987654321 )

changing the current user yash to hacklabs with su ( switch user command ) and try password hacklabs987654321 and our shell is changed successfully

Second Flag

I move on haclabs home directory and we see our second flag

again upgrading our shell normal user to superuser root sudo su command with password hacklabs

Final 3 Flag
 haclabs: Deception walkthrough vulnhub

My File Server Vulnhub Walkthrough read

2 thoughts on “haclabs: Deception walkthrough vulnhub”

  1. Rahul,
    I haven’t finished the hack yet but I am following your write up. In the write up you said you found wordpress/hint.html. I ran dirb and mine didn’t find the hint.html page. Can you share what flags you used in dirb or wpscan or how you found hint.html. Sorry if this is a dumb question. I’m just starting out and learning as much as I can.

    Not a noob but still learning…..


  2. hi M
    hint.html is not a current wp page name that dirb can find with its wordlist.
    Remember that dirbuster is hunting presence of pages according to the wordlist you give it when you launch it.
    The name of ‘hint.html’ should rather be guessed according to the hint given by the previous page “admindelete.html”


Comments are closed.