In this article we are going to solve another boot2root challenge This is an intermediate level machine and requires good enumeration skills . we can download this machine from vulnhub . Please make sure that you download the updated version of the machine from the google drive link given here
As usual our first step is to find the IP address of the machine using the command : sudo netdiscover -i wlan0
we have the IP address of the target machine now we used the command : sudo nmap -A 192.168.43.97 to check for the open ports.
only two ports are open , so we decided to browse HTTP service . one thing is clear by this result that to gain access to this system we must enumerate the port 80 very carefully and should focus on each and every result.
when we open the website we have apache server home page that means we are inside the directory /var/www/html/ . Now we decided to do directory bruteforce but failed to find any useful directory . So we again go through the home page and found this line.
as said in the first line that there is directory at /var/www/html/g@web , So it is clear that g@web is directory and if we open the url http://192.168.43.97/g@web then we have a WordPress website.
without wasting our time we fire up wpscan using the command : sudo wpscan --url http://192.168.43.97/g@web
as we can see we have a outdated plugin and there are high chances of exploiting this , so we take the help of the internet and found a exploit that lets us to upload .phtml file (.phtml is used for php2). You can find the link at the end of this article to download the exploit .
now by using this exploit we can upload a .phtml file and can have the reverse shell.
here we are using the pentest monkey php reverse shell and saved it as shell.phtml .
now by clicking the submit button we have successfully uploaded the shell and can run it from http://192.168.43.97/g@web/wp-content/uploads/wpsp/
start the listener on the port we have specified in the .phtml file using the command : nc -nvlp port , in my case it is nc -nvlp 1234
now we have the shell of user www-data , we change our directory to /home and there we found 3 users, security hunter hackNos-boat .
now we need password to login as any of these users . so we again run the wpcan but with some extra option this time , command used : sudo wpscan --url http://192.168.43.97/g@web --enumerate u
if we open the URL specified in the output then we got a hint .
we can use hackNos@9012!! as the password for one of the users.
so now we have these 3 combination that we can try to login as one of these users.
hunter : hackNos@9012!!
hackNos-boat : hackNos@9012!!
security : hackNos@9012!!
and we succeed in login as user security .
now we without wasting our time we use the command sudo -l to check for sudo privileges .
and that's what we want now by using the find trick described in the gtfobins we run the command by : sudo -u hackNos-boat /usr/bin/find . -exec /bin/bash \;
now we are in as user hackNos-boat , again we use the command sudo -l and found something interesting and follow the instruction from gtfobins .
now by using the command : sudo -u hunter /usr/bin/ruby -e 'exec "/bin/bash"' , we are in as user hunter .
now again we use the same command : sudo -l and found something that is already present in gtfobins .
we run the command : sudo -u root /usr/bin/gcc -wrapper /bin/bash,-s .
we are in as user root and by changing the directory to /home/hunter we read the user flag and by changing the directory to /root we can read the final flag
we are root now and this completes the challenge!
click here to go to the download page (change the IP address of the target machine and save it as exp.html and run your apache server using the command sudo service apache2 start and copy exp.html file to /var/www/html/ if you are using apache2 server ,now go to web browser and open this file by visiting the URL 127.0.0.1/exp.html )