Jordaninfosec-CTF01 walk through
In this article we will solve another boot2root challenge.This machine is designed for beginners.we can download this machine from vulnhub.
First step is to find the IP address of the target and for that we used the command : netdiscover -i wlan0
Now we scan the target to check open ports,command used : nmap -p- 192.168.43.204
As we can see that there are only 2 ports open and these are : 22(SSH) and 80(HTTP) So we decided to browse HTTP service by opening our browser.
here we found a login form. Now we decided to find hidden directories and files using the dirb tool,command used : dirb http://192.168.43.204
So we found that these 3 directories might be useful for us,So first of all we decided to visit /flag
Ok we have our first flag!
Now we change our directory to /admin_area and after visiting this webpage we see a message ,not that much useful but source code found to be useful.
So we used these credentials to login into the form we found earlier and yes we succeed in login.
So we decided to upload an image and yes we get a success message!
So we decide to upload a php file to get a reverse shell! but to execute that file we go to /uploaded_files/name_of_file.php , In our Kali Linux machine we started metasploit to get a session ,and yes we got a session . Now by typing shell we get a get a shell and by using python one-liner we get a stable shell.
Now by typing ls we find one more file hint.txt
So the hint is : we need to find the password of the user "technawi" which is present in a hidden file so we decided to run the command : find / -user technawi -type f 2>&1 | grep -v "Permission " | grep -v "No such"
Yes,we found a file. now we go to this directory and try to read the content of the file using cat command.
Now we type in su technawi and use the password : 3vilH@ksor
Now we decided to read flag.txt file present in the directory /var/www/html/
Now we type in sudo -l to check for the permission for the user technawi
This user has all the privileges so by using sudo su we get the root access and we change the root password by using the command : passwd root