środa, 21 sierpnia 2019

Wakanda CTF

This time I tried Wakanda CTF prepared by xMagass. Here we go...
We will start here:

...waiting for enlil.py to finish the scan:

Checking www in the meantime:

Found hidden link, checking:

Ok, some manipulation is definitely possible:


I tried few payloads using Burp and I found that we can use filters from PHP to include files:

So far, so good. I wrote a simple 'file grabber' in python:


Next thing was to find the user who is able to use the password:

Name of the author of the page was a good idea to try:

Found flag1.txt :)

Next I used LinEnum.sh script to enumerate the box (a little bit more and faster than I done that manualy ;P):

Ok, we got some emails :)


Ok, looks like there is a flag2.txt:

Great, now:

That's why I couldn't grab files like 'admin' or 'backup'... ;>

Secret file!

I was looking for some other files of devops user:

Interestingly there was an antivirus.py file:


Preparnig msfconsole:


And we got the session:

Next move:

Checking flag2.txt file and sudo -l:


That's how I found a nice post about privesc using pip - you can check it here:

Checking some info about the AV:

So now we are here:

Great! Checking the flag:

See you next time!


Brak komentarzy:

Prześlij komentarz