TBBT: Fun with flags Walkthrough

Before putting hands on the machine I read the description of the machine on vulnhub that the machine has DHCP disabled and the IP of the machine is 192.168.1.105 so the first thing I did is, I set my Host Network Manager to IP series 192.168.1.1 and then moved towards enumeration as the IP of the machine is already described in the description.

Port Scanning

Here as the result is clearly saying that ftp has anonymous login enabled. I moved on ftp and started enumeration inside ftp but its that much helpful I only found few flag and hints that I have no idea of that.

Here in the result of nmap at the last port no. 1337 is saying something clearly so I just had a look at this port using telnet.

Here I found the Sheldon flag at this port as it is also present in the nmap result.

Moving ahead towards the web at “http://192.168.1.105/” what I found is a picture that is of the show “The Big Bang Theory”

http://funwithflags/

Here nothing interesting is available so I moved on to scan for directories that may give some help to go on.

Here I got three interesting things that are the first robots.txt file that has listing of few disallowed paths but I didn’t found them useful at this time.\

WordPress Time

As I also found that WordPress is available on the machine so I just moved on the terminal again and started scanning the WordPress using “wpscan”. I scanned plugins if available and get one which is vulnerable as well as it is out dated.

The plugin “reflex-gallery” is out dated with the version 3.1.3 so without having delay I searched for the exploit for this if any available and I got that but the exploit is a .txt file which gives the necessary detail to exploit the plugin manually.

Reference : https://www.exploit-db.com/exploits/36374

The vulnerability is of Arbitrary File Upload.

Reading the exploit and understanding it is not at all tough. I made a .html file and put the code present in the exploit and opened it with web browser.

file:///root/reflex.html

Here the directory path of the plugin is helpful to upload the shell on the web. After little bit enumeration on the directory of plugin I found php.php file which seems to be interesting as it is saying something.

http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

Uploading php shell file on the web is easy just select the .php file and click on Pwn! button.

Here make sure to replace the path to the php.php file path in the html file that is “http://192.168.1.105/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php” .

http://funwithflags/music/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php

Here the php shell file get successfully uploaded on the machine and the path where the file got upload is also shown there now its time to call the shell file.

http://funwithflags/music/wordpress/wp-content/uploads/phhp.php

Here I putted a listener on at port no. 1234 and called the shell from web. I used the following command to get the reverse shell :

Now getting the bash shell I moved further :

With further enumeration I got few flags at different locations

While enumeration mean while I came to get a interesting file that has all permission and the file is a .sh file in the directory named “leonard”. Getting help from google for Privilege Escalation I got the way to it.

I appended a command in the executable .sh file to get the shell

In another terminal the listener is on.

That looks pretty good. At this point I get root. Now as the description of the VM says there are total 7 Flags with out which the CTF is incomplete. So I again started Enumeration of the flags.

The another flag found.

After few enumeration I got the credentials of phpmyadmin and mysql database.

One more flag found. Again using the credentials that I found in the wp-config.php file I logged in to the mysql and enumerated the next flag.

Now the one and the last flag that is missing for which I started enumerating form the very first where I came near a file named super_secret_nasa_stuff_here.zip that I already download I tried to unzip it earlier but the file is password protected so for this I googled the way to brute-force it any how and I got the tool to do so.

Here I got all 7 flags as well as root of the machine. Well as the machine name saying “Fun with flags”, there is too much fun in finding the flags. I came around few new concepts mean while solving and fining the flags and clear that concepts too.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store