W1R3S CTF walkthrough

Today we are going to solve another boot2root challenge . This CTF challenge is designed for beginners.we can download this machine from vulnhub.

Walkthrough

our first and very basic step is to find the IP address of the target machine and fr that we used the command : netdiscover -i wlan0

Next step is to scan the target for the open ports by using the command : nmap -A 192.168.43.74

As we can see that 4 ports are open and these are : 21,22,80 and 3306 . So we decided to browse HTTP service and for that we open our browser.

As we can see it is the Apache2 server. So now we decided to find some hidden files and directories by using dirb.Command used : dirb http://192.168.43.74

So these two directories looks quite interesting (wordpress and administrator).

So we decided to enumerate wordpress website but we couldn't find any useful thing from there so we switch our directory to /administrator.

So for sure we are not going to setup this website so after exploring this directory we came to know that it is Cuppa CMS. We searched on the internet about this CMS and found a LFI vulnerability on this website : https://www.securityfocus.com/bid/60342/exploit

So we used the same exploit and yes now we have 3 get hashes by using the command : curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://192.168.43.74/administrator/alerts/alertConfigField.php

We copied these hashes and use johntheripper to crack the password .

and we found the password of user w1r3s as shown in the image

port 22 is open so we can use these credentials to login connect to SSH as user w1r3s by using the command : ssh w1r3s@192.168.43.74

Now we check for the privilege using the command sudo -l

This is good for us! now by just typing sudo su we can get the root access. and then by changing directory to /root we get the final flag and we read the flag by using the command : cat flag.txt

Done we are root now!