WizardSecLabs Writeups

Writeups for all the WizardSecLabs boxes I have solved

View on GitHub



DATE: 7/10/2019



So there are 3 ports open. We’ll start our enumeration with HTTP service on port 80.


I didn’t find anything in the source or any links. So I ran dirsearch on it.

But nothing here seems interesting here since all of these directorys looks like some default dirs.

So I started dirsearch on port 10000.

I searched the /administrator and found 2 URLs

And in /logs I found /error.php

But in /error.php I got nothing.

So I tried to search /blog and noticed that it was running joomla so I used joomscan to see if I can find anything.

This also didn’t find anything. So again I had to message @4ndreq and he said that I should do OSINT of an email. But obviously first I need to find that email. I realized there was an email on the website running on port 80 in contact us section. I googled that and found pastebin post with password in it.


Using cebu:cabergas08 I was able to log in admin in joomla.

Reverse shell

To get reverse shell we can go to Extension > template > templates > beez3 > error.php and in that just copy paste the code to get reverse shell.

Then you can setup your listner nc -nlvp 4444 and trigger the shell by running visiting

Pwn user

Since I already know the password for cebu I did su cebu and entered cabergas08 to become cebu

Also to get a proper shell I added my public key to authorized_key under .ssh/ folder.

$ echo "your public key" > authorized_keys

Privilege escalation

I ran my enumeration script and found a SUID.

To see what that SUID was I executed sudo.old --help and got the options for bash. Meaning the suid is bash but renamed to something else.

So to get root shell from this we can do sudo.old -p.

Then we can get the root flag.

This was machine was fun todo. Thanks to @H4d3s for making this machine.

Thanks for reading, Feedback is always appreciated.

Follow me @0xmzfr for more “Writeups”.