In this article we are going to solve another boot2root challenge victim . This is a beginner level challenge . We can download this from vulhnub.
IP of the target : 192.168.43.186
Next scan is to scan the target to find open ports and services running in the targeted system and for that we used the command
sudo nmap -sC -sV -Pn 192.168.43.186
So many ports are open in this machine , we decided to enumerate one by one .
Port 80 :
A simple webpage with an error message . ( may be this is intentionally) , and nothing on port 8080 and this is what we have on port 9000.
we tried searching on the internet about BoltCMS exploit but none of them worked here . So now we decided to run directory bruteforce ( dirb ) to find some useful pages.
sudo dirb http://192.168.43.186:80 sudo dirb http://192.168.43.186:9000
wooohh !! there are so many pages but most of them have returned code 403
So lets run same command on port 9000.
We opened these webpages but found nothing ....
Now we again run the nmap scan ( may be we missed some open port)
This time we run the command with flag -p- .
sudo nmap -sC -sV -Pn -p 1-12000 192.168.43.186
we found one more open port . So without wasting our time lets enumerate this port.
we found this .cap file and decided to open it using wireshark and analyze each and every packet carefully but failed to find anything useful.
Now we decided to crack it using aircrack-ng . command used :
aircrack-ng WPA-01.cap -w /home/yash/Desktop/vulnhub/rockyou.txt/rockyou.txt
we cracked the password successfully as p4ssword .
now we decided to open the .cap file to analyze it carefully and found a line that disclosed the SSID to be dlink
Now we have the creds that we can use to login into SSH .
username : dlink
password : p4ssword
we are in as user dlink now its time for privilege escalation . first of all we check for the user privileges and found this :-
This is a just message to TryHarder to get root! we change our user to /home and found two users dlink and victim01 but nothing inside their home folder .
we decided to check for the SUID binaries using the command
find / -perm -u=s -type f 2>/dev/null
Now as described in the gtfobins we used that command and got access to user root.
nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"
And that's how we solved this challenge.