Silky-CTF: 0x02

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/silky-ctf-0x02,307/

Walkthrough

nmap
alt text

default 80, nothing special
alt text

dirb reveals admin page
alt text

admin panel with login

alt text

alt text

incorrect login gives error in german
alt text

after some time i notice that if you enter ‘Admin’ there is no error, even without a password
alt text

send to intruder for lfi check
alt text

alt text

after a bit, /etc/passwd is shown and we have lfi
alt text

checking lfi in browser works
alt text

find user flag in silky home directory
alt text

setup a listener and throw a python one liner at it and we have a reverse shell
alt text

break out of jail and notice a suid file ‘cat_shadow’
alt text

seeing what the program does, it trys to read shadow file (duh) however we get a permission denied
alt text

at first i thought this was a bof, but quickly realized we just have to send the hex that is being displayed
alt text

some trial and error, but 64 char buffer and then the hex in little endian gets us shadow file
alt text

throw the hashes at hashcat
alt text

after some time we actually get root password
alt text

root flag
alt text

Written on May 24, 2019
Share on: