Original Post: TryHackMe mKingdom Writeup. This is a beginner-friendly CTF… | by Ria Banerjee | Jul, 2024
The content showcased a step-by-step approach to solve a beginner-friendly Capture The Flag (CTF) challenge on TryHackMe. The process started with an Nmap scan, followed by accessing the website and running a Gobuster directory brute-force. The author found an admin blog post containing a login page, and used "admin" and "password" to log in. The website was using Concrete CMS 8.5.2, which has a known RCE vulnerability.
The author used this vulnerability to upload a PHP reverse shell and gained shell access. Linpeas was run to enumerate the system, discovering a database configuration file with credentials. Logging in as ‘toad’, environment variables revealed a PWD token, which allowed logging in as ‘mario’.
The author utilized writable /etc/hosts and a monitored cron job to escalate privileges to root. A malicious counter.sh script was placed to execute a reverse shell via a cron job. Once root access was obtained, the author could read the flags from user.txt and root.txt.
Go here to read the Original Post