In this article we are going to solve another boot2root challenge designed by haclabs . This is a beginner level CTF challenge that doesn't require any advanced or basic exploitation and this CTF doesn't require any kind of tool for exploitation.
First step is to find the IP address of the target machine using the command : netdiscover -i wlan0
Now step is to check for the open ports and for that we used the command : nmap -A 192.168.43.249
only two ports are open , so we decided to browse HTTP Service .
it is the apache2 ubuntu default page . So here we decided to bruteforce directories using the dirb tool , dirb http://192.168.43.249
it is very clear that it is running a wordpress website , so we decided to use wpscan tool to find any vulnerable plugin or theme but we failed , but we succeed in finding two usernames.
wpscan --url http://192.168.43.249/wordpress --enumerate u
now if we go to the login page then it is not accessible, so bruteforcing the password for both the users is a wastage of time.
Now we open the webpage : http://192.168.43.249/wordpres/robots.txt
means we can access /robots.html . So if we open this robots.html then we get a simple form with a input box and a submit button . we looked for the OS command Injection vulnerability but we failed here .
if we check the source code of the webpage then we see that after 15 clicks it redirect the user to a new webpage admindelete.html .
Now we are completely stuck here, so if we observe this message carefully then it says we are looking for a hint , this means hint can be a webpage so we tried various common extensions and succeed in finding a file with name /hint.html .
as said we have to collect all the API tokens available on the home page(ubuntu default server webpage) .
after collecting all the API and arranging them in correct order we found a hash 5F4DCC3B5AA765D61D8327DEB882CF99 , now we can use any online website to crack this hash and we found the text is password , we tried username : yash and password : password but we failed to connect to SSH and same for user haclabs.
So here we tried to open the webpage /wordpress/5F4DCC3B5AA765D61D8327DEB882CF99
now everything is clear that password is itself the hash value
so we tried to connect to SSH as user yash and password as hash value and finally we get the shell of user yash.
if we observe this text then it clearly means that copy operation was going on but it was aborted as we gain an authorized access to this machine. Now one thing is clear that password of user haclabs is present somewhere in the home directory of user yash and also we got our first flag.
after spending sometime with this box we see a file systemlogs
we tried to read the content of this file using cat command .