haclabs:deception
In this article we are going to solve another boot2root challenge designed by haclabs . This is a beginner level CTF challenge that doesn't require any advanced or basic exploitation and this CTF doesn't require any kind of tool for exploitation.
Walkthrough
First step is to find the IP address of the target machine using the command : netdiscover -i wlan0

Now step is to check for the open ports and for that we used the command : nmap -A 192.168.43.249

only two ports are open , so we decided to browse HTTP Service .

it is the apache2 ubuntu default page . So here we decided to bruteforce directories using the dirb tool , dirb http://192.168.43.249

it is very clear that it is running a wordpress website , so we decided to use wpscan tool to find any vulnerable plugin or theme but we failed , but we succeed in finding two usernames.
wpscan --url http://192.168.43.249/wordpress --enumerate u

now if we go to the login page then it is not accessible, so bruteforcing the password for both the users is a wastage of time.
Now we open the webpage : http://192.168.43.249/wordpres/robots.txt

means we can access /robots.html . So if we open this robots.html then we get a simple form with a input box and a submit button . we looked for the OS command Injection vulnerability but we failed here .

if we check the source code of the webpage then we see that after 15 clicks it redirect the user to a new webpage admindelete.html .

Now we are completely stuck here, so if we observe this message carefully then it says we are looking for a hint , this means hint can be a webpage so we tried various common extensions and succeed in finding a file with name /hint.html .

as said we have to collect all the API tokens available on the home page(ubuntu default server webpage) .

after collecting all the API and arranging them in correct order we found a hash 5F4DCC3B5AA765D61D8327DEB882CF99 , now we can use any online website to crack this hash and we found the text is password , we tried username : yash and password : password but we failed to connect to SSH and same for user haclabs.
So here we tried to open the webpage /wordpress/5F4DCC3B5AA765D61D8327DEB882CF99

now everything is clear that password is itself the hash value
so we tried to connect to SSH as user yash and password as hash value and finally we get the shell of user yash.

if we observe this text then it clearly means that copy operation was going on but it was aborted as we gain an authorized access to this machine. Now one thing is clear that password of user haclabs is present somewhere in the home directory of user yash and also we got our first flag.

after spending sometime with this box we see a file systemlogs

we tried to read the content of this file using cat command .

now after observing the systemlogs very carefully we found something really helpful.
1. "haclabs"
2. "A=123456789"
3. "+A[::-1]"
the third notation is used in python to reverse a string and "+" means to concatenate two strings so password for user haclabs is haclabs987654321

now we get our second flag and also two more python files.

nothing useful in gen.py . Now we read the file haclabs.py

Now if we focus on the word changetheworld then it comes out to be the password for user root.

Now we can read the final flag using the command cat deception.

we have collected all the 3 flags , it means the challenge is completed!!
Thanks Anish bhattacharya(founder of haclabs) to give me an idea to make this kind of machine!!