TBBT: FunWithFlags Walkthrough vulnhub

TBBT: FunWithFlags Walkthrough Vulnhub CTF

Today, we’re sharing another Vulnhub CTF Walkthrough TBBT: FunWithFlags design by emaragkos This VM machine hosted on Vulnhub.com you can download here the machine link

Network Scanning

Our First Step is Finding the target IP Address using netdiscover

 TBBT: FunWithFlags  Walkthrough vulnhub

After finding the target IP address I perform Nmap Aggressive scanning (-p- parameter ) all port scanning

 TBBT: FunWithFlags  Walkthrough vulnhub

dirb is a web content scanner that was also used to brute force for any available files and directory on the website.

 TBBT: FunWithFlags  Walkthrough vulnhub

Enumeration

we see dirb result many URL I open the URL http://192.168.1.105/music/wordpress/ our browser and we see a WordPress website

dirb http://192.168.1.105/music/wordpress/

without wasting our time I move on wpscan WordPress scanner ( -e ap parameter enumerate all plugin installed )

 TBBT: FunWithFlags  Walkthrough vulnhub

I found an outdated plugin reflex-gallery version: 3.1.3 I search the exploit-db exploit and I found an exploit arbitrary file upload.

After ran shell command we see a black restrict shell now I importing the python3 spawn shell

 TBBT: FunWithFlags  Walkthrough vulnhub

In Amy’s home directory, I found two file notes.txt and secretdiary

 TBBT: FunWithFlags  Walkthrough

I reading the notest.txt using cat command and we see a hint massage this is my secret diary

I ran strings and our file secretdiary command according to user hint I found an 18 digit password

‌It’s an enumeration time! I move the home directory I found my second flag in penny’s home directory

Privilege Escalation

Leonard’s directory contained a bash script with some comments in it and we see the file permission all user edit this file and the file owner is the root

We see crontab configuration thermostat_set_temp.sh file is run automatically every one minute I create a simple bash reverse shell and echo command to overwrite the thermostat_set_temp.sh

Before starting the bash script we need to start our netcat listener

After Wait a minute I got a reverse shell root user I move on the root directory and reading our final last flag contains the root directory

Inclusiveness 1 Walkthrough Vulnhub read