Wakanda CTF

This time I tried Wakanda CTF prepared by xMagass. Here we go...
We will start here:

...waiting for enlil.py to finish the scan:

Checking www in the meantime:

Found hidden link, checking:

Ok, some manipulation is definitely possible:

More:

I tried few payloads using Burp and I found that we can use filters from PHP to include files:

So far, so good. I wrote a simple 'file grabber' in python:

Results:

Next thing was to find the user who is able to use the password:

Name of the author of the page was a good idea to try:

Found flag1.txt :)

Next I used LinEnum.sh script to enumerate the box (a little bit more and faster than I done that manualy ;P):

Ok, we got some emails :)

More:

Ok, looks like there is a flag2.txt:

Great, now:

That's why I couldn't grab files like 'admin' or 'backup'... ;>

Secret file!

I was looking for some other files of devops user:

Interestingly there was an antivirus.py file:

More:

Preparnig msfconsole:

More:

And we got the session:

Next move:

Checking flag2.txt file and sudo -l:

More:

That's how I found a nice post about privesc using pip - you can check it here:

Checking some info about the AV:

So now we are here:

Great! Checking the flag:

See you next time!

Cheers