Today We are solving another Vulnhub CTF hacklabs: deception is created by HacLabs This machine is designed by keeping in mind about all the beginners.
you can download here
we found our target IP address through netdiscover, a simple ARP reconnaissance tool to find live hosts in a network.
Aggressive scanning with Nmap finding the open port and running services.
nmap -A 192.168.1.5
I open the victim IP address the browser we see the apache2 default web page
dirb is a web content scanner that was also used to brute force for any available files and directory on the website.
we see dirb result WordPress I open the URL browser and we see the WordPress default themes is installed
Since the website was made using WordPress wpscan, a WordPress Security Scanner was then used to try to find existing vulnerabilities on the website, ( -e u parameter find all user account )
wpscan --url https://192.168.1.5 -e u
our scanning is complete and I found two users yash and hacklabs
we see the target robots.txt allow URLs
So we open this robots.html then we get a simple form with an input box and a submit button I Enter random text and we see new popup windows our text is reflected
I check the source code of the webpage then we see that after 15 clicks it redirect the user to a new webpage admindelete.html here we see a text message LOL, A Noob is looking for a hint
so, this means hint can be a webpage so I tried top open hint.html and we successfully I found one another page hint.html this hint file says that pleases collect all API tokens available on the home page
I move on the home page URL and I check the source code of the webpage and I found many API tokens
after collecting all the API and arranging them one line and all API token is look like this 5F4DCC3B5AA765D61D8327DEB882CF99
I tried all API token login username yash and password is founded all API key and I got yash user shell
ls cat flag.txt
after enumerating some directory I see a hidden file .systemlogs
we tried to read the content of this file using cat command. and I found something really helpful.
( first is hacklabs ) and (second is A=123456789 ) (third is +A[::-1] )
I treat the second value as a variable and third is look like String Slicing the variable A and we found a value like this ( hacklabs987654321 )
changing the current user yash to hacklabs with su ( switch user command ) and try password hacklabs987654321 and our shell is changed successfully
I move on haclabs home directory and we see our second flag
cd /home/hacklabs/ ls cat flag2.txt
again upgrading our shell normal user to superuser root sudo su command with password hacklabs
cd /root/ && ls
Final 3 Flag