Vulnhub – Devrandom CTF 1.1 Walkthrough

Start by scanning the host with nmap –A –T4 –p- 192.168.1.16 –vv

Then scanning the host with dirbuster and i’ve found a lot of things includes a /secret directory:

Inside the directory there are 3 files one of them got a lot of stuff but at the end of the page there is a username and a password:

John:Password123 , also the robots.txt file got something :

Also found a log.php file:

And inside it:

This means log poisoning, let’s keep that i mind for now and see the other stuff which we have in here:

The directory /?inculude=info redirected the page to a WordPress page:

As we can see from that path /?inculude=info it looks like it’s vulnerable from LFI, so let’s try it by appending ?file=../../../../../../../../../../../../../../../../../etc/passwd to the link:

But the log file is not working when trying to view the access.log file, gave me some kind of error:

So i tried another way, the /etc/passwd file gave us the usernames, so i’m going to try to brute force the ssh serviceas we have these usernames trevor victor henri lisa john:

hydra -L users.txt -P /root/pass/rockyou.txt ssh://192.168.1.16 -f –vV

After some time the ssh brute forcing came up with username trevor and password qwertyuiop[]

Then we login with these credentials:

Trevor can run sudo on this host:

Now there is a way to get a root shell without running the sudo su root, which is just by typing sudo dpkg then enter !/bin/sh

That’s it we are root and we got the flag..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s