haclabs: no_name walkthrough Vulnhub CTF

hacklabs no name walkthrough Vulnhub CTF is created by HacLabs the VM is hosted on Vulnhub server you can download here

Network Scanning

First, we scanning our local network

haclabs: no_name walkthrough

basic nmap scanning all port

haclabs: no_name walkthrough

we see the scanning details our target machine only port 80 http is open

I run the dirb web scanning tool with an extension .php and we found a superadmin.php URL

haclabs: no_name walkthrough

When I visit the website superadmin page we found a command injection here I run the id command we see the target uid and group id

haclabs: no_name walkthrough

I run the many commands but I didn’t see anything after some time I open the superadmin.php file with cat command and again we didn’t see anything

but we see the page source we found superadmin.php source code and see many commands is restricted. like /, ; ls, nc, dir, pwd etc.

haclabs: no_name walkthrough

So we can use nc.traditional to get a reverse shell but the issue with that would be nc the string would still be detected. So to bypass this I simply base64 encoded the following payload

haclabs: no_name walkthrough

After encoding the reverse shell first we start our natcat payload listener and paste the code command injection field starting pipe

and we see our natcat connection is connected our target but we see blank shell now importing python3 module

First Flag

After enumeration, many scripts and commands I didn’t find anything so I move the user yash home directory and I fount our first flag.txt and we see the massage hacklabs password in a hidden file.

Finding our second flag with the find command advanced search using the file type ( -type f ) filter and owner of all file user yash

our Scanning is complete we see the .passwd hidden file now open the file cat command

Second Flag

haclabs: no_name writeup

changing our user upgrading shell we already found hacklabas password our second flag

  • su hacklabs
  • password: hacklabs1235

I run the sudo -l the command to see which command hacklabs run without asking root password and we see the /usr/bin/find command run without root password

haclabs: no_name writeup

we search to find command privilege escalation on google and I found a sudoers command I run the command extra parameter -u root

we found our final flag3.txt

haclabs: no_name writeup

Another vulnhub walkthrough MuzzyBox: 1 read