Oh no our webserver got compromised. The attacker used an 0day, so we dont know how he got into the admin panel. Investigate that.
This is an OSCP Prep Box, its based on a CVE I recently found. Its on the OSCP lab machines level.

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s TIKI: 1 from vulnhub.


Ports are SSH, HTTP and SMB (139 and 445) but given the introduction it sounds like the webserver is our target. Also, nmap said:

80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu)) | http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
| http-robots.txt: 1 disallowed entry

Let’s start there.


Tiki is tiki wiki and it’s not hard to find the recent CVE for it; CVE-2020-15906, made by the machine creator. Reckon it’s what we want?


It’s on searchsploit:

Tiki Wiki CMS Groupware 21.1 - Authentication Bypass php/webapps/

We can mirror this and run it:

root@kali:/opt/vulnhub/tiki# python3
Admin Password got removed.
Use BurpSuite to login into admin without a password 

The vulnerability is that an attacker is able to brute-force a Tiki Wiki admin account until it is locked after 50 invalid login attempts. They can then use an empty password to authenticate as the administrator and gain full account access.

The webpage won’t allow you to leave the password field blank, but it’s fine with Burpsuite so that’s where it comes in. Then you can do show response in browser and we are logged in as admin.


I looked around for a way to upload a shell, but there doesn’t appear to be one (that I could find). I could upload a shell as a ZIP and unzip it, but could only download the resulting file and not run it. Fortunately our box user has left his credentials on the site to find.


We can SSH in as our user, and then he is a sudoer so it’s all over:

silky@ubuntu:~$ sudo -l
[sudo] Passwort für silky: 
Passende Defaults-Einträge für silky auf ubuntu:
    env_reset, mail_badpass,

Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen:
    (ALL : ALL) ALL
silky@ubuntu:~$ sudo su
root@ubuntu:/home/silky# cd /root
root@ubuntu:~# ls -lash
root@ubuntu:~# cat flag.txt 

ASCII art removed
You did it ^^
I hope you had fun.
Share your flag with me on Twitter: S1lky_1337

root@ubuntu:~# id;hostname
uid=0(root) gid=0(root) Gruppen=0(root)

BTW; Google translate says:

Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen


The user silky is allowed to execute the following commands on ubuntu