InfoSecWarrior CTF 2020: 03 Walkthrough

InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup

Today we are sharing another CTF walkthrough of the vulnhub machine named InfoSecWarrior CTF 2020: 03 with the intent of gaining experience in the world of penetration testing. The credit goes to Vishal Biswas to design this machine.

Description

During the CTF event, this box contains a Loot box (zip file) consists of the download link of the next Challenge and super_flag.txt. Goal: You have to gain the highest privileges and collect only 2 flags (user flag and root flag)

Network Scanning

In my case my target ip is 172.20,10.9

Our First Step is scanning all ports and servrices target machine using Nmap Aggressive scan

InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup

Nmap scan is complete and as the result shows, port 21 SSH, 80 is open with the service of HTTP.

Enumeration

As we are enumerating further, we open the target IP in the browser and we see a wordpress web site

InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup

but the WordPress website doesn’t work properly error here so we moved on our next step started a Directory Brute-force to enumerate the directory and files this machine.

dirb scan gave me output phpMyAdmin and other wp directory so I open the phpmyadmin url our browser and login with root username and root password

  • username: root
  • password: root
InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup

We successful login with root MySQL database then I select the wpdb database on open the wp-user table and we see two user entry krishna and user1 as shown in the image file.

I copy the users hash and save a text file and crack the hash using the john tool use the following command

InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup

and we see WordPress hashes is cracked successfully and I try to login ssh using the WordPress credentials and us successful login with ssh Krishna shell

  • username: Krishna
  • password infosec

Privilege Escalation

I ran the sudo -l command and I found krishna has sudo permission to run a bash script as loopspell

this script is compiler a c language file using gcc using this command we privilege escalate this machine

InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup

again run the sudo -l command and we see sudoers filer entry /usr/bin/gcc and code_compiler.sh

using sudo I again run the privilege escalation command and we have a root shell target machine

InfoSecWarrior CTF 2020: 03 Walkthrough Vulnhub | InfoSecWarrior CTF 2020: 03 Vulnhub Writeup
Escalate My Privileges 1 Walkthrough Vulnhub link