środa, 21 sierpnia 2019

Wakanda CTF

This time I tried Wakanda CTF prepared by xMagass. Here we go...
We will start here:


...waiting for enlil.py to finish the scan:


Checking www in the meantime:

Found hidden link, checking:


Ok, some manipulation is definitely possible:


More:

I tried few payloads using Burp and I found that we can use filters from PHP to include files:


So far, so good. I wrote a simple 'file grabber' in python:


Results:


Next thing was to find the user who is able to use the password:

Name of the author of the page was a good idea to try:


Found flag1.txt :)


Next I used LinEnum.sh script to enumerate the box (a little bit more and faster than I done that manualy ;P):

Ok, we got some emails :)

More:

Ok, looks like there is a flag2.txt:


Great, now:

That's why I couldn't grab files like 'admin' or 'backup'... ;>


Secret file!


I was looking for some other files of devops user:


Interestingly there was an antivirus.py file:


More:


Preparnig msfconsole:


More:



And we got the session:

Next move:


Checking flag2.txt file and sudo -l:


More:


That's how I found a nice post about privesc using pip - you can check it here:

Checking some info about the AV:


So now we are here:



Great! Checking the flag:



See you next time!

Cheers


Brak komentarzy:

Prześlij komentarz