In this article we are going to solve another boot2root challenge infovore from vulnhub , Initial foothold was a little challenging because we need to edit the pre-built script to get the initial shell .
IP of the target : 192.168.1.194
As usual I started with nmap scan to find open ports and services running in the system using the command
sudo nmap -sC -sV -Pn -p- 192.168.1.194
I was shocked with the result because usually I am in habit of having port 22 open!! , okay l started my enumeration from port 80 , I found a really good UI based website but it didn't revealed anything useful , so it's time for directory bruteforce .
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 64 http://192.168.1.194/FUZZ
found 3 directories with response code 301 , but before exploring them more I decided to run the directory bruteforce again with extension .php
wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 -t 64 http://192.168.1.194/FUZZ.php
I found phpinfo on info.php and on index.php I found the same website , after a lot of enumeration I failed to find anything and at last I decided to use nikto tool
Now I was really more confused , according to the nikto result /info.php has RFI and I tried many methods to check RFI but failed to achieve RFI , So it was a complete dead end for me and it was getting really frustrating until I checked the title of the page that was Include me...
this proved to be a big hint for me , it clearly indicates that here we are going to deal with LFI in index.php page because info.php is just using the phpinfo() function and to check for the LFI I tired parameter fuzzing using wfuzz tool by using the command
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404 -t 46 http://192.168.1.194/index.php?FUZZ=/etc/passwd
that was very strange response and again I was too confused with this LFI , next thing I noticed here is that every page has returned same Lines , so what I did is I changed the command to hide results with Line 136
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hl 136 -t 46 http://192.168.1.194/index.php?FUZZ=/etc/passwd
and yes this command worked perfectly and after opening the webpage http://192.168.1.194/index.php?filename=/etc/passwd I could see the content of /etc/passwd file
after checing for the LFI vulnerability next thing that came in my mind was log poisoning attack , I tried to include some files that could lead to log poisoning attack but I was not able to include them , after a lot of thinking I started to search about phpinfo LFI to RCE and found a script to perform this task , but after running the script I found an error , because we have to change some information regarding the page where we found the LFI .
but this was not enough change in the script so that it can work properly and after spending some time with the code I found one more thing that needs to be changed and that was the page where we found the phpinfo , that is info.php and according to the nikto result if we remember then the page has RFI with parameter info.php?file , so what I did is I changed the script again with
and after listening on the specified port (in my case 1234) I got the reverse shell.
now its time for priv. esc. , first of all I checked for the users in the home directory but there are no users.
now I checked other directories too but couldn't find anything useful , so now I runt the command cat /proc/1/cgroup command to check if we are inside a container/docker or not
umm this confirms that we are inside the docker and to get out of the docker we need to enumerate more carefully and after checking the "/" directory I found two hidden files .
now I decided to transfer these files in my local system , but how we are going to do this ? this system has no python to start a server and I also tried scp but it there was an error , I found that this system has curl installed so what I did is , started a python server on my local system and with the help of curl I transferred nc to the tmp directory and now with the help of nc I can transfer those two hidden files :)
after cracking the passphrase of private key (root) I found the password .
I used this password to get root on docker .
ummm , I found no pty here and to spawn a pty we can use two methods , I used su root -P
I got root on docker/container but I need root on host machine to complete this challenge and after some manual enumeration I found public and private keys of one user of host system
now I tried to gain access to admin using the id_rsa ( private key) and it prompts for the password and I used the same password I cracked earlier and yes finally I was in as user admin.
All I can say is just use gtfobins:)
we are root now and this completed the challenge , task was also to find all the 4 flags , but actually I am not interested in finding flags hidden somewhere so sorry for the flags because I am more interested to gain root :)