CK 00: CTF walkthrough [part 2]

In the previous article, part 1 of this CTF, we were able to complete the following steps on the victim machine:

  1. Getting the victim machine IP address
  2. Scanning open ports by using the nmap scanner
  3. Enumerating the WordPress website
  4. Exploiting through Metasploit and getting the Meterpreter connection
  5. Enumerating the target system with a limited shell
  6. Exploiting a local privilege escalation vulnerability for getting the root

In this article, we’ll take further steps to get the root access of the victim machine. The steps which we’ll be covering to get the root access are as follows:

The steps

  1. Enumerating users by analyzing the passwd file
  2. Getting the database credentials by analyzing WordPress configuration file
  3. Logging in with the Bla user
  4. Enumerating and exploiting the SCP utility to take the Bla1 user access
  5. Enumerating the DD utility and getting the root access

The walkthrough

Step 7

As our traditional local exploit technique could not work, I started exploring the victim machine further with the limited access again. This time, I started by checking the “/etc/passwd” file so that we can get the idea of the available users in the machine.

Since the “/etc/passwd” file was available for all the users, it was not difficult for me to read that file: I simply use the cat command. The output of the command can be seen in the following screenshot: [CLICK IMAGES TO ENLARGE]

Command used: cat /etc/passwd

After analyzing the passwd file, I realized that there were three users on the victim machine. I thought it might be linked somewhere, which could help us to get the root access for the system.

I didn’t have any information to utilize related to these users, so I noted down the names of all three for use in the future.

Step 8

So far, we don’t (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Nikhil Kumar. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/zHVdXX0t-R0/