In Plain Sight: 1.0.1 walkthrough vulnhub

In Plain Sight: 1.0.1 Walkthrough Vulnhub CTF | In Plain Sight: 1.0.1 vulnhub writeup

In this article, we are solving another Vulhub CTF In Plain Sight: 1 this Virtual machine is created by bzyo difficulty Level Beginner – Intermediate This machine is hosted on vulnhub server you can download here

Description

Built/Tested with VirtualBox. DHCP enabled. Need to get root to read flag

Network Scanning

First we perforce an arp-scan with netdiscover finding our target IP address.

In my case, my target id is 192.168.1.16 our next step is scanning our target open ports and running services using this command

We see the nmap output target ports 21 FTP, 22 SSH, and port 80 HTTP service is running

Enumeration

I Open our browser and paste the target IP address in URL and we see the apache2 ubuntu default page

we see a hint in the landing page You should replace the file ( locate at /var/www/html/index.htnl ) I open the URL new tab and we see an image file I click the image and the image is redirected this URL

After enumeration the URL I upload php payload and we see a message File is not image

So I create a urlhash file and paste the URL hash this file using this command Bruteforce the file

Our hash is cracked and we see a message good luck I again upload a shell and we again see the massage I reading this page source code using inspect Element and I found a base64 comment

I copy the base64 encoded text and using base64 -d decoding the value and found another WordPress URL

Without wasting our time using wpscan WordPress scanner tool I find out all users the WordPress URL

WordPress Password Brute Force

Using this command I brute-forcing the users we already found in our wpscan

After 40 seconds we found the user admin password I log in the WordPress and go to the plugins tab and here I upload a php reverse shell and I go to our next step ignoring plugins error.

and go to WordPress uploads directory I locate our reverse shell before calling our shell I already start our netcat listener

I got a netcat reverse shell target machine but this is sh many commands is restricted this shell so I import /bin/bash using python3 spawn shell

I got apache public directory here I found two WordPress account so I move on so-dev-WordPress directory

here we see wp-config.php file this file contains my sql username password plain text I copy the database username and password

I connected to the databases and describe the sodevwp_users table and I found the hash for mike.

I copy the hash and save a hash name file Decoding the hash using john tool

Privilege Escalation

now since I found the password of mike user I change user www-data user to mike user

I found our another flag user joe password /etc/passwd- file

cat command to we see the user joe password

I checking SUID using the command find. find / -type f -perm -u=s 2>/dev/null

I found there is an executable in /usr/bin called bwrap with SUID bits permission so I ran the command and I got a root shell

Reading our root flag using cat command

BossPlayer Vulnhub Walkthrough link