Vulnhub : Warzone 2

Nmap

I found several ports open like 21, 22 & 1337.

Port 21 (FTP)

Access as anonymous, I found 3 images like below:

So let’s use mget * to get all of the images.

Images

Since I have play CTF several times. This is called Flag Semaphore and one of the best platforms to decode it using https://www.dcode.fr/semaphore-flag

By decoding the above picture I got “semaphore”

By decoding the above picture I got “signalperson”

Since I got the username & password let’s get the hash & token

I make a simple python script to do this :)

Port 1337

Since I have all of the things needed let’s check on port 1337. It asks for a username, password, and token which I already have.

So I can use ls, pwd and nc. Let’s try to get a reverse shell using nc.

Flagman (User)

I tried to run linpeas and found this

After reading the file I found a possible password for the flagman.

Try to su flagman and we got in!

Admiral (User)

I try to sudo -l and found this.

Let’s try run the python as admiral.

Also, I should port forward port 5000 by using SSH.

The first thing I did was to go to /console and put the Debugger PIN and I tried to get a reverse shell from it.

Root

First thing first let’s try sudo -l and I found like below:

We can try check on GTFOBINS

Nice! I manage to root it :)

References

https://www.dcode.fr/semaphore-flag

https://gtfobins.github.io/gtfobins/less/#sudo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store