In Plain Sight: 1.0.1 walkthrough vulnhub

In Plain Sight: 1.0.1 Walkthrough Vulnhub CTF | In Plain Sight: 1.0.1 vulnhub writeup

In this article, we are solving another Vulhub CTF In Plain Sight: 1 this Virtual machine is created by bzyo difficulty Level Beginner – Intermediate This machine is hosted on vulnhub server you can download here

Description

Built/Tested with VirtualBox. DHCP enabled. Need to get root to read flag

Network Scanning

First we perforce an arp-scan with netdiscover finding our target IP address.

In Plain Sight: 1.0.1 walkthrough vulnhub

In my case, my target id is 192.168.1.16 our next step is scanning our target open ports and running services using this command

In Plain Sight: 1.0.1 walkthrough vulnhub

We see the nmap output target ports 21 FTP, 22 SSH, and port 80 HTTP service is running

Enumeration

I Open our browser and paste the target IP address in URL and we see the apache2 ubuntu default page

In Plain Sight: 1.0.1 walkthrough vulnhub

we see a hint in the landing page You should replace the file ( locate at /var/www/html/index.htnl ) I open the URL new tab and we see an image file I click the image and the image is redirected this URL

After enumeration the URL I upload php payload and we see a message File is not image

So I create a urlhash file and paste the URL hash this file using this command Bruteforce the file

Our hash is cracked and we see a message good luck I again upload a shell and we again see the massage I reading this page source code using inspect Element and I found a base64 comment

In Plain Sight: 1.0.1 walkthrough vulnhub

I copy the base64 encoded text and using base64 -d decoding the value and found another WordPress URL

Without wasting our time using wpscan WordPress scanner tool I find out all users the WordPress URL

WordPress Password Brute Force

Using this command I brute-forcing the users we already found in our wpscan

In Plain Sight: 1.0.1 walkthrough vulnhub

After 40 seconds we found the user admin password I log in the WordPress and go to the plugins tab and here I upload a php reverse shell and I go to our next step ignoring plugins error.

In Plain Sight: 1.0.1 walkthrough vulnhub

and go to WordPress uploads directory I locate our reverse shell before calling our shell I already start our netcat listener

I got a netcat reverse shell target machine but this is sh many commands is restricted this shell so I import /bin/bash using python3 spawn shell

In Plain Sight: 1.0.1 walkthrough vulnhub

I got apache public directory here I found two WordPress account so I move on so-dev-WordPress directory

here we see wp-config.php file this file contains my sql username password plain text I copy the database username and password

In Plain Sight: 1.0.1 walkthrough vulnhub

I connected to the databases and describe the sodevwp_users table and I found the hash for mike.

In Plain Sight: 1.0.1 walkthrough vulnhub

I copy the hash and save a hash name file Decoding the hash using john tool

Privilege Escalation

now since I found the password of mike user I change user www-data user to mike user

I found our another flag user joe password /etc/passwd- file

In Plain Sight: 1.0.1 walkthrough vulnhub

cat command to we see the user joe password

I checking SUID using the command find. find / -type f -perm -u=s 2>/dev/null

I found there is an executable in /usr/bin called bwrap with SUID bits permission so I ran the command and I got a root shell

Reading our root flag using cat command

In Plain Sight: 1.0.1 walkthrough vulnhub
BossPlayer Vulnhub Walkthrough link