JIS-CTF: VulnUpload Vulnhub Writeup

My first boot2root beginners challenge taken from here: JIS-CTF: VulnUpload from vulnhub.com.
First we start with a nmap scan:

Flag 1

The nmap scan already reveals a lot of information. The first flag can be found under the url http://[jordan vm]/flag:

The 1st flag is : {8734509128730458630012095}

Flag 2

Under the url http://[jordan vm]/admin_area the second flag is hidden in the source code together with the credentials for the main login page:

username : admin
password : 3v1l_H@ck3r
The 2nd flag is : {7412574125871236547895214}

Flag 3

Behind the login is a file upload page which doesn’t check the uploaded content (just the size). I’ve uploaded a weevely php shell a gained access to the vm as user www-data.
In the /var/www/html directory are another interesting files: hint.txt and flag.txt. The latter one isn’t readable for our current user but the first one is:

try to find user technawi password to read the flag.txt file, you can find it in a hidden file ;)
The 3rd flag is : {7645110034526579012345670}

Flag 4

This one took me quite a while. I didn’t found the file and dunno if it was misleading that it wasn’t a hidden file in terms of linux. After a lot of searching I used a simple grep -ri flag /etc/ which reveals the file /etc/mysql/conf.d/credentials.txt:

The 4th flag is : {7845658974123568974185412}
username : technawi
password : 3vilH@ksor

Flag 5

With the above credentials we can log into the box via ssh and user technawi and read the flag.txt in the /var/www/html directory:

The 5th flag is : {5473215946785213456975249}
Good job :)
You find 5 flags and got their points and finish the first scenario....

And as a side note, the hidden file .sudo_as_admin_successful in the home directory of technawi reveals, that the user technawi can sudo to root.

That’s all folks. Since this is my first ctf boot2root challenge, is it okay that I list the flags here? If not please comment and I’ll remove them. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *