Tre : 1 Vulnhub Walkthrough

In this article we are going to solve another boot2root challange Tre : 1 , This is a intermediate level challenge which requires good enumeration skills and we can download this box from vulnhub.

walkthrough

IP of the target : 192.168.43.70

Lets run nmap to find information about open ports and services running in the system using the command

sudo nmap -sC -sV -p- -Pn 192.168.43.70

we have a background image of some trees on port 80 and on port 8082 we have the same thing . Now we have to use dirb for directory bruteforce and I always recommend to use big.txt wordlist.

dirb http://192.168.43.70:80 /usr/share/wordlists/dirb/big.txt

/mantisbt/config directory looks useful for us so lets open the directory.

okay we have some credential but where to use them ,we tried in the mantisbt login page but they didn't work. So we decided to again run the directory bruteforce but this time with .php extension.

dirb http://192.168.43.70:80 /usr/share/wordlists/dirb/big.txt -X .php

okay lets go to /adminer.php.

we fill out all the information that we found earlier in the a.txt file and using those credentials we are successfully inside the panel.

Now we can read the data of the table mantis_user_table .

we have 2 users here and we have also their hash password , now we search on the internet about mantisbt exploit and found a python script which can be used to change the password of the registered user and after changing the password of admin user we logged inside the admin panel but failed to find a way to upload php script there , now if we focus on the second user "tre" and the real name looks like giving us a hint towards ssh login so we used the tre as username and realname as password.

first of all we checked for the user privileges using the command sudo -l

ummm , if we have to shutdown the machine at last then why we did so many things ( my brain said) . Okay to analayze what this binary is doing ( of course it is doing shutdown and restart ) lets again connect with the same user but in different terminal .

we used the first terminal to download the pspy64 binary and then run it and on second terminal we run the /sbin/shutdown binary

"-r" options means restart , now lets check pspy64 binary output on the other terminal.

this means that if we run /sbin/shutdown then the script /usr/bin/check-system is getting execute by root user, To check if we are on the right path , after getting restart we again take the user tre shell and edited the file check-system as

we again run the command sudo -u root /sbin/shutdown -r and after restarting we again gain access to user shell and now lets check the /tmp folder if we have the shadow file or not and if it is readable or not.

yes this means we are on the right path , we again edited the check-system with a reverse shell code and after using the command /sbin/shutdown -r machine we restarted the machine and we got the root shell!

lets again restart the system and don't forget to start the listener on the port you specified.

Machine pawned successfully!