Vulnhub : Warzone 2

Nmap

I found several ports open like 21, 22 & 1337.

Port 21 (FTP)

Access as anonymous, I found 3 images like below:

So let’s use mget * to get all of the images.

Images

Since I have play CTF several times. This is called Flag Semaphore and one of the best platforms to decode it using https://www.dcode.fr/semaphore-flag

username.png

By decoding the above picture I got “semaphore”

password.png

By decoding the above picture I got “signalperson”

token.png

Since I got the username & password let’s get the hash & token

HASH = sha256(semaphore + signalperson)
TOKEN = bytesToHex(HASH)

I make a simple python script to do this :)

Port 1337

Since I have all of the things needed let’s check on port 1337. It asks for a username, password, and token which I already have.

So I can use ls, pwd and nc. Let’s try to get a reverse shell using nc.

Flagman (User)

I tried to run linpeas and found this

After reading the file I found a possible password for the flagman.

Try to su flagman and we got in!

Admiral (User)

I try to sudo -l and found this.

Let’s try run the python as admiral.

Also, I should port forward port 5000 by using SSH.

ssh -L LOCALPORT:127.0.0.1:REMOTEPORT flagman@192.168.0.119
ssh -L 5000:127.0.0.1:5000 flagman@192.168.0.119

The first thing I did was to go to /console and put the Debugger PIN and I tried to get a reverse shell from it.

Root

First thing first let’s try sudo -l and I found like below:

We can try check on GTFOBINS

Nice! I manage to root it :)

References

https://www.dcode.fr/semaphore-flag

https://gtfobins.github.io/gtfobins/less/#sudo