recon: 1 Vulnhub Walkthrough

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

In this article, we are solving another vulnhub ctf recon: 1 is created by Sagar Shakya hosted on vulnhub you can download here

Description

This is my first CTF. This CTF for beginners level based WordPress.

Network Scanning

As you know, this is the initial phase where we choose netdiscover for network scan for identifying target IP address.

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

Nmap Port Scanning aggressive scanning

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

Enumeration

I navigate to a web browser and browse the following URL and found open WordPress application is running on the Apache webserver.

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

Since we found the WordPress on the target machine then I choose the wpscan WordPress scanner and run the following commands for WordPress scanning enumerating all users.

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

I used rockyou.txt big and best wordlist for password brute force attack to enumerate the password and then launched a brute force attack using this command

From its scanning result, we found a password user reconauthor as given below.

  • username: reconauthor
  • password: football7

I logged in to WordPress and found a post add payload and here we see an e-learning plugin was installed.

without waste our time I searched in the exploit-db this plugin and found a vulnerability php shell upload on Exploit_DB

Shell uploading

copy Kali Linux built-in php reverse shell and change the IP address

I compressed the thus file into a zip file hackNos.com and start our netcat listener port 4545

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

Choose the upload option for uploading your zip file.

Browse and Upload your shell Insert as Iframe and click the Insert button

we see our shell directory e-Learning show out now navigate the URL and execute the payload

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

After calling our shell we have remote connection target machine I move on home directory and I found our first flag offensivehack user home directory

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup

Privilege Escalation

We found www-data has sudo permission to run /usr/bin/gdb program as offensivehack.

With the help above command, we were able to access shell as offensivehack.

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup
Docker Privilege Escalation

Docker is a set of the platform as a service product that uses OS-level virtualization to deliver software in packages called containers.

id command is shown our current user is added docker group I mount the target/root directory docker /mnt directory using the command

and we get the final root flag.

recon: 1 Vulnhub Walkthrough | recon: 1 Vulnhub Writeup
In Plain Sight 1 Walkthrough vulnhub link