Categories
Capture The Flag

Library: Tryhackme Writeup

Tryhackme

This post is a write-up of the Incognito CTF beginner box on Tryhackme.

Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.

Nmap Scan

nmap -sC -sV -A -T4 10.10.194.255
Nmap Scan

Port 80 is open and running so let’s look at the webpage first. The webpage is a login page of an LMS(Library Management System).

login Page

So whenever I see such type of a login page in any box my first step is to either put common usernames and passwords or dictionary attack with the help of hydra or a basic SQL injection.

This time I started with the later one which is SQL injection and I got into the website with a basic payload.

Username: ‘–

Password: ‘–

After I got in I checked various functionalities to possibly find an injection point or to search for other vulnerable stuff, after some exploring I found out that the website was vulnerable through a File Inclusion Attack which could be exploited using the function add/edit books.

So here I used Pentest Monkey’s PHP Reverse Shell to get the reverse shell and get into the box.

admin panel

Before uploading the shell I opened a listening connection via netcat.

nc -lnvp 9999
Netcat

As you can see this is not an interactive pty so in order to run commands like su we need to spawn a pty via a python command.

python3 -c 'import pty; pty.spawn("/bin/bash")' 
shell recieved

user.txt

After getting a stable pty I found a user cirius and got the user flag from there.

user.txt

root.txt

Now initially I had trouble getting the root but the CTF author released a hint on discord that user cirius is using a weak password. I used su cirius with password password to switch current user as cirius.

lateral escalation

After changing the user I tried the sudo -l command which will list all the allowed commands for the particular user.

sudo -L

From here we can deduce that we can run as a superuser on basically anything as long as we have the password.

so let’s become a superuser and get the final flag that’s supposed to be in /root.

Root flag

Reading the root.txt file, I saw the last flag and was able to complete the box!. For more writeups like this, you can click here. Many more writeups of Incognito CTF coming soon.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *