VulnHub – Broken 2020 Walkthrough

We start by scanning the host with nmap –A –T4 –p- –vv

Let’s run dirb

We have a one interesting page /cms where there is a button to install:

When we click the button it changes and says “go here”

And then we click and we get this page saying we got hacked:

Dead end, i fired up dirbuster and found more results /cms/cc/index.php

And on page /cms we got a Flag1

On the page we get to put a server IP and port, so we put our IP and open port to listen to:

Well we didn’t get a shell but what happened is the target is trying to GET a file to download from our side, so we’re going to make a shell with that weird name, and start a SimpleHTTPServer on port 80 so the target be able to download the file:

Going to the home folder and viewing the next flag:

The 2nd flag {FLAG2:**Robing the rober**} along with a note for Alice, now running the command find / -writable -type d 2>/dev/null we can see that the folder script in Alice directory is writable:

What i did was creating a new file with the name of and deleted the one in the script folder and add a reverse shell into it:

Opened a listening port and waited for a while and i got a shell back:

Now we in thee root directory but nothing to do, so back to Alice home directory where a new folder backup got the 3rd flag:

{FLAG3:**Power of snak**} and we got a new note.txt file:

Ok i tried this echo “ /home/alice/backup” > path.txt and then i found that the script copied the folder backup in Alice home directory and pasted here, means we have another backup folder, so we’re going to change the path to the root folder this time to copy his contents to Alice folder echo”/root/” > path.txt and after a second we got his flag.txt in the home directory of Alice:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s