How to hack: Midnight CTF — vulnhub walkthrough
We start by downloading the VM from https://www.vulnhub.com/entry/sunset-midnight,517/, add it to VirtualBox and adjust the network settings.
We then fire up netdiscover to locate the VM’s IP address:
Following the instructions for the VM we add a hosts entry with that IP:
Then we do a nmap run to see any ports open:
Port 80 has the usual WordPress site:
Let’s give MySQL a run while we do any other checks:
Since we’re root in MySQL we move around freely:
WordPress has only one user:
We can use this guide to create ourselves an admin user:
We now log in to WordPress using demo/demo, and we have full access to the blog:
Now we get access to the disk by installing the “Advanced File Manager” plugin:
I now download my trusty workhorse (or pony): p0wny shell from https://github.com/flozz/p0wny-shell/blob/master/shell.php
and upload it at the site’s root:
Then browse to it:
we have a user called jose and his flag, but no permissions for it:
After a long while of searching for stuff I notice that WordPress is running with the MySQL user of jose:
And his DB password is the same as SSH:
Now that I am logged in as jose, I run LinEnum.sh (https://github.com/rebootuser/LinEnum)
Looking at the SUID/SGID files, I notice one that has a recent modification date compared to the rest of the system: “/usr/bin/status”
If I run it, it says that service is not found:
Running it with www-data does work:
I create a fake “service” file, that will just tell me who is running it and rerun the status command:
I’ll setup a netcat listener and add my python reverse shell script to the fake service command:
And there’s the flag:
This is the source code for the status command:
Hope you enjoyed this guide :)
