In this article we are going to solve another boot2root challenge victim . This is a beginner level challenge . We can download this from vulhnub.


IP of the target :

Next scan is to scan the target to find open ports and services running in the targeted system and for that we used the command

sudo nmap -sC -sV -Pn

So many ports are open in this machine , we decided to enumerate one by one .

Port 80 :

A simple webpage with an error message . ( may be this is intentionally) , and nothing on port 8080 and this is what we have on port 9000.

we tried searching on the internet about BoltCMS exploit but none of them worked here . So now we decided to run directory bruteforce ( dirb ) to find some useful pages.

sudo dirb 
sudo dirb

wooohh !! there are so many pages but most of them have returned code 403

So lets run same command on port 9000.

We opened these webpages but found nothing ....

Now we again run the nmap scan ( may be we missed some open port)

This time we run the command with flag -p- .

sudo nmap -sC -sV -Pn -p 1-12000

we found one more open port . So without wasting our time lets enumerate this port.

we found this .cap file and decided to open it using wireshark and analyze each and every packet carefully but failed to find anything useful.

Now we decided to crack it using aircrack-ng . command used :

aircrack-ng WPA-01.cap -w /home/yash/Desktop/vulnhub/rockyou.txt/rockyou.txt

we cracked the password successfully as p4ssword .

now we decided to open the .cap file to analyze it carefully and found a line that disclosed the SSID to be dlink

Now we have the creds that we can use to login into SSH .

username : dlink

password : p4ssword

ssh dlink@

we are in as user dlink now its time for privilege escalation . first of all we check for the user privileges and found this :-

This is a just message to TryHarder to get root! we change our user to /home and found two users dlink and victim01 but nothing inside their home folder .

we decided to check for the SUID binaries using the command

find / -perm -u=s -type f 2>/dev/null

Now as described in the gtfobins we used that command and got access to user root.

nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"

And that's how we solved this challenge.

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.