Web Machine: (N7) VulnHub CTF Walkthrough

Web Machine: (N7) is an intentionally vulnerable CTF virtual linux machine. The author of this machine is Duty Mastr and this virtual machine belongs to Web Machine series.

The machine can be downloaded from Web Machine: (N7) - VulnHub.

After downloading and setting up Web Machine: (N7), it’ll look like this:

First of all, we need the IP address of this machine. So to find out this machine’s IP address, I used arp-scan tool and the command I used were,

sudo arp-scan -l

So we got the IP address and the next thing to do is recon on the machine. To do basic port and service scanning, I used nmap tool and the command I used were,

nmap -sV -A -Pn 192.168.43.136

So there’s only one open port and it is 80 which belongs to HTTP service. So I thought I’d visit this IP address in my browser.

Visiting the IP address in my browser wasn’t useful that much. I also visited the profile page, it also wasn’t helpful. So I started to do some directory listing for discovering other webpages. For directory listing, I used OWASP DirBuster, which is a GUI tool.

That’s when I found out there’s a web page called exploit.html in the machine web server. So I accessed the /exploit.html page in web browser.

I tried uploading PHP payload and acquiring reverse shell. But It wasn’t successful. So I thought I’ll go through the source code of that webpage. For that I used Inspect tool, which can be seen in web browsers.

That’s when I noticed when the Submit Query button is clicked, the current webpage will be redirected to http://localhost/profile.php. That is an error. So I edited the form action to the machine’s own IP address also with /profile.php page.

Then I clicked the Submit Query button. That’s when I saw the prefix of the flag.

Now I understood that this is not the way to find the flag. So I again researched a lot and I found that there’s a web page named /enter_network in the machine’s web server. So I accessed the webpage in my browser, obviously.

I tried default credentials and it was not successful. So intercepted this webpage in BurpSuite tool, also with some random credentials.

Then I saved this request named as interceptedData.txt and then I used this txt file to dump databases and tables in the web server. For this, I used Sqlmap tool and the command I used were,

sqlmap -r /home/kali/Pictures/interceptedData.txt -- dbs

So this took a while to complete and I discovered four databases finally.

Again I used Sqlmap tool to dump tables in Machine database and the command I used were,

sqlmap -r /home/kali/Pictures/interceptedData.txt -D Machine -- dump

I finally found the flag hooray.