CTF Walkthrough | TryHackMe | GodBlessAmerica

6 min readFeb 7, 2023

Capturing the flag leads to finding LFI vulnerability in the machine. Check out this box at https://tryhackme.com/room/godblessamerica .You can always LogIn on TryHackMe, go to rooms → godblessamerica.

Reconnaissance:

Initially used nmap for port scanning. I found that port 80 and 2082 are open ports.

Then I went to the website and tried to explore port 80 where the website is hosted. I wanted to find out what is used in the server side to make the website.

I found out that there is a domain votenow.local where the website is hosted. At that point I did not know if there were other domains but this was the only bit of interesting information that I found out using enumeration.

I added the information on /etc/hosts after that I checked with ping on votenow.local to find out if the ip address has been mapped correctly against the hostname.

It was correctly mapped for the ip addresss.

After that I went to the website and did a view page source to find out any interesting scripts or information.

I started the gobuster to find out any interesting directories, I used a new filter to find out files that would be of my interest using the -x filter.

Gaining Access:

I found a config.php.bak as the directory where I could find the username and password for the database. I

This was another interesting directory but did not yield any results.

Enumeration is key, I found another directory called /assets. It also did not yield much information.

Simultaneously, I used the nikto to find out the any known vulnerabilities on the website. I found that the website was vulnerable to cross site scripting. It also suggested that the database will yield results for username and password.

I also started a vhost search which is for domains to find out more valid domains that I can find to do more enumeration.

I added the new domain in the /etc/hosts file

I opened the domain and I could clearly see why nikto shared that username and password of the database is vulnerable.

I used the credentials found before for username and password to find the login inside the database for phpmyadmin.

I was able to login successfully into phpmyadmin.

Username and password are visible.

I saved the password in the text file for username admin.

I realised that the password is encrypted so I had to decode the password using john the ripper. Enumeration is key. I found the password as Stella. We will use this password after finding the reverse shell when we will switch the user to admin.

Next after realising that the reverse shell would be coming out from php my admin, I started to search on searchsploit for the vulnerability in the versions of phpmyadmin. I downloaded one of the files for the vulnerability in version 4.8.1. for phpmyadmin.
It showed me how to start a reverse shell through the phpmyadmin console.

Reverse Shell:

Step 1 and 2 found in the CVE are essential for finding LFI vulnerability.

I used the first command to run the SQL query and then I looked for the cookie that is stored in the browser for the particular website. I ran the session file, found in the above and used it for the cookie value.

Before using the cookie value, I stored the same in the text file.

To finally get the reverse shell, I first started the net cat listener on port 4444.

Then I realised that if I use a one liner php reverse shell, then I can get the reverse shell. So I started finding the one liner reverse shells.

After finding a suitable reverse shell, I used the SQL button to write the query for one liner reverse shell.

I copied the cookie value from the website.

Now edititng the second step for searchsploit, I edited the cookie part after the cookie found in the above steps. Watch the contents carefully to understand how I edited the above URL.