Broken-2020: 1, Vulnhub Walkthrough

Vulnhub logo

As I said earlier , I only post writeup of ctfs which do not have a public walkthrough easily available by the time I solve it , so here goes another really easy vulnhub vm which took less than an hour to solve. This what was given about the machine
Level : beginner for user flag and intermediate for root flag.
No exploit, custom exploitation is need.
Work on virtualbox.
This works better with VirutalBox rather than VMware
You can download the vm from this link
https://download.vulnhub.com/broken-2020/broken-2020.ova
So lets start off, first as usual we run a full port scan , this was what I got.

As usual , we thought that port 80 would be our way in, so we tried to enumerate it as much as possible. We visit the page and this is what we got

Hmm, this doesn’t seem to be much to go on, so we do a directory brute force, and these were the results:-

The cms directory seems interesting. Lets try to navigate to it.

We tried searching for this cms, but couldn’t find anything. So the we pressed the install button and this is what happened.

We press “go here” and we were greeted with this message.

Seems the website got defaced. We tried enumerating along the cms directory and we found the first flag.

Having no other option, this time we again ran a dirb scan this time along the cms directory. We were right , we found something

We visited the newly found index.php file , and we got this

It seemed some sort of portal which would interact with other nodes. The first step was to obviously find out what it was doing, so we entered our ip and port and simultaenously opened up a python web server in the same port just to check whether it interacts with it , our gamble paid off it seems!

From the above , it seems that the server is making a request to that bash file and executing commands . So this time we created a bash file of the same name and this time put a basic command (id) . And tried it again

So we achieved rce! Now was the time to gain a proper shell. We inputed a python one liner reverse shell command in the file and repeated the steps again.

As expected , we got our reverse shell on our netcat listener

Enumerating the machine , we found our second flag and a note under user alice’s directory

The same directory had another directory called script, and we found the script and enumerated all its permissions

From the note(And some more enum on the processes manually), we could see that the log.py was running with permissions of alice every minute . We can see that we cant modify it , but the directory was writable, meaning we could overwrite the file. So we did the following.
First we wrote a log.py file in our machine which would return a reverse shell.

Next we changed the name of the existing log file in the victim and placed our own file in it.

Now we open our nc listener and wait for a minute, sure enough we get a reverse shell as alice under directory backup which we originally couldn’t enter due to a permission issue.

And we open our third flag

Now if you notice , there is a note file, we opened it and found this

If you check we have a path.txt file as well. Reading the note, it gave me the idea that a cron was running which was collecting the directories written in the file and copying it to this directory with root privileges. Since the challenge was to read the root file , we did this

And waited for a while. Sure enough the directory was copied into the backup folder and we read the root flag.

So we solved it finally. Hope you guys liked this really easy ctf.
P.S. I have no clue why around the end one keystroke displayed two outputs, but all the commands were working as expected so couldn’t complain.
Thank you for your time:)

Cats, pizza and cyber security are all I live for! Follow me for a wide variety of topics in the field of cyber security. OSCP ,CRTE , CRTP ,CKAD holder.