TAMU CTF 2019 Writeups

  1. Pwn
    1. Pwn1
    2. Pwn2
    3. Pwn3
    4. Pwn4
    5. Pwn5
  2. Network/pentest
    1. Stop and listen
    2. Wordpress
    3. Calculator


Challenge Description:

I setup my own Wordpress site!
I love that there are so many plugins. My favorite is Revolution Slider. Even though it's a little old it doesn't show up on wpscan!
Please give it about 30 seconds after connecting for everything to setup correctly.
The flag is in /root/flag.txt
Difficulty: medium

Openvpn config file:

start with configuring the openvpn config file images/11-1.png

now use nmap to scan the network


so there is a ip which has open ssh and http port and there is another ip with open mysql service

looks like is our webserver and otherone is database server

lets look at the site by typing in browser


so it's a wordpress site. I use wpscan to scan but found nothing intresting(also while scanning with wpscan use timeout 30 sec ***).
Also there was a clue that they are using revslider as plugin in site..... googling about revslider exploit i found that there is file upload vulnerabiity in revslider.
Basically we can upload file in webserver by exploit that vulnerability... to demonstrate let fireup msfconsole and do following

before that write a simple php payload for proof of concept.payload I used was...

now for msfconsole stuff:

so by this we have successfully uploaded the payload..
let check it on real server


So good so far. Now my Target is to upload a php TcP_reverse payload which when run gives us a shell at port 1234(for example).
I got a shellcode.php in my tool list which i use for the purpose... i upload it as


Download the php-reverse-shell

now i have to just start a listener at port 1234 and hit my payload...before hiting payload


after hiting the payload.....


after some simple linux commands i found note.txt


So the ssh key is in dbserver at /backup/id_rsa and the db server is
Now we need some more things to workwith....
so i checked the wp-config.php file using cat command....guess what... i found database credentials.


so username for db is ‘wordpress’ ,host:, password: ‘0NYa6PBH52y86C'
I just connect with these values in db server.


So i have to read /backup/id_rsa in this server. As now i have full control over database, this is quite a simple task...
what i did was I created a ‘temp’ table with one coloumn in it. Then i load the content of /backup/id_rsa in that table. and see it using select query.....

in action

After select query


I store this in a file and save it as a id_rsa.... Now to have to use this key to connect through ssh as root user


Hence After login I got The flag....

Iy was a fun challenge ;-)