Hacker Fest 2019 CTF

Few days ago I decided to try some new CTF(s) available at VulnHub. This time I player "Hacker Fest 2019" prepared by Martin Haller. Below you will find the details. Here we go...

Today we will start here:

As we can see in description:

So it should be a very nice CTF for a new-year-warmup ;)

Let's go!

At this stage I used enlil script to scan the target box:

As you can see there are few interesting ports open :)

Let's start from WWW:

Cool, we can see that this is 'another Wordpress site' ;) so let's use wpscan to check it. In the meantime I tried to use some exploits for webmin available in Metasploit:

 ...but no luck. So when wpscan finished the scan I read the log file to find some 'unauthorized' bugs I can use to move forard. This is what I found:

Next step was to find more details about the vulnerability and how to use it against our target box. I found working module in Metasploit ;)

So far, so good. We should see the file on our Kali VM:

Next step is to find the password:

Now I can use one of the webmin-exploits ;) Checking:

Looks like done ;D

More details you'll find below:

I assume that it was not the way I should solve this box... ;) anyway... as usual my goal is to get a shell as soon as possible ;)

Flag of the user is presented below:

It was a very cool CTF! You should try it ;)

See you next time!

Cheers