CTF Walkthrough – Basic Pentesting:1

Hey! It’s been a while since I’ve played around with any pentesting tools or capture-the-flags so I thought I might as well jump straight back in with a super basic CTF just to get used to the methodology again.

This CTF is named “Basic Pentesting:1″ by Josiah Pierce. It’s a super easy boot2root and wont take very long to solve. It involves a bit of service discovery, bruteforce, reverse shells and privilege escalation.

If you don’t want to read this post, skip to the bottom where you’ll find the video šŸ™‚ Don’t forget you can stalk me on social media: Twitter: @Jackk1337/@JackkTutorials Instagram: @Jackk1337 YouTube: JackkTutorialsĀ 

Lets begin….


To start with I booted up the machine and got the IP Address from the home screen (thanks Ubuntu).

And then I can launch a simple nmap scan just to identify some services that are running on the target machine

nmap -sS

Which gave these 3 results:

[email protected]:~# nmap -sS

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-04 12:08 GMT
Nmap scan report for vtcsec (
Host is up (0.000079s latency).
Not shown: 997 closed ports
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:2Upload Files9:AE:35:F3 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

So what this tells me (at a glance) is that there is 3 services running on this machine: FTP, SSH & HTTP. So with this information I headed over to which gave me this page:

So from here I checked to see if there was a /admin dir or /login.php file or /robots.txt but there wasn’t. There also wasn’t anything hidden in the ‘view source’ so I loaded up dibuster to find some more folders for us.

Here I’m just using a dirbuster attack with a small wordlist to find some more folders & files.

After not very long, I discovered what looks like a wordpress installation in a dir called “Secret”.



You can see that when it’s loaded, things don’t look right… Upon inspection it looks like content is coming from a domain called “http://vtcsec” so I added this to my hosts file (sudo nano /etc/hosts) and mapped vtcsec to When I refresh to page things start to load much better.

From here I went to the and attempted to login. I used the username “admin” and a random password and I got the following message:

ERROR: The password you entered for thhe username admin is incorrect.

What this tells me is that ‘admin’ is a valid user in this database. So then I just tried the credentials “admin:admin” and what do you know… It worked.

So now that we have admin access to the wordpress control panel we can upload a reverse_tcp payload via the plugin manager. The payload I’m using is “malicious-wordpress-plugin” which is hereĀ 

This uses meterpreter to create a simple php file that can be uploaded to the wordpress site and a connection to be established.

So here I have my “malicious.zip” file which will be uploaded to the wordpress site, and the terminal is showing meterpreter waiting for a connection. So I upload that zip file to the wordpress site, activate the plugin and then navigate to “http://vtcsec/secret/wp-content/plugins/malicous/wetw0rk_maybe.php” which initiates a connection to my kali box.

So now we are in the system as “www-data”. Now all we need to do is escalate our privileges to root. So I’m going to use a script called “unix-privesc-check” from pentestmonkey which is a really powerful script that can check for simple privilege escalation vectors on a Unix system. You can get that here

So I simply upload that file to the box using meterpreter upload function. Then I just drop into a proper shell using this command

python -c ‘import pty; pty.spawn(“/bin/bash”)’

And then I can make it executable with this command:

chmod +x unix-privesc-check

And then run it

./unix-privesc-check standard > output.txt

Once that’s ran I’m going to download the output and then analyze it to see what it hides. Inside the file is the following entry:

Checking if anyone except root can change /etc/passwd
WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd

What this tells me is that I can modify roots password without being root. So I download the passwd file to my kali machine and change the password like so…

By default, the etc/passwd file contains this entry:


Using a command called openssl I can generate a new password hash and enter it in place of ‘x’.

[email protected]:~# openssl passwd -1
Verifying – Password:

And then I enter that hash into the passwd file and re-upload it. Then simply login as root:

[email protected]:/var/www/html/secret/wp-content/plugins/malicous$ su root -l
su root -l
Password: pass

[email protected]:~#

And there you go… boot2root success!

Also bonus points… in the /var/www/html/secret/wp-config.php file contains the root credentials for the wordpress mysql database, which could of been another attack vector.

So I hope you liked this writeup, the video is just below! A very simple boot2root which can be completed pretty quickly with no nasty tricks, perfect for if you’re just starting out or just coming back like I am.


Leave a Reply

Your email address will not be published. Required fields are marked *