In this article we are going to solve another boot2root challenge West wild which is a very basic CTF challenge ,Any one with a good knowledge of Linux commands can pawn this machine very easily.
our first step is to find the IP address of the target by using the command : netdiscover -i wlan0
Now our next step is to check for the open ports. command used : nmap -p- 192.168.43.30
As we can see that 4 ports are open and these are : 22(SSH),80(HTTP),139(netbios-ssn) and 445(microsoft-ds) . As port 445 is open then it must be running samba service on the target host.Now we will use a tool smbmap to check for what SMB shares are available . This tool comes preinstalled in Kali Linux OS. To know more about this tool please visit : https://tools.kali.org/information-gathering/smbmap
So without wasting our time we type in the command : smbmap -H 192.168.43.30
we found one share is available and this share has READ ONLY Access so we decided to explore this share by using the tool smbclient.
We found two files here , FLAG1.txt and message_from_aveng.txt we decided to download these files in our Kali Linux OS so that we can read their content . (To download these files use the command : get file_name)
we found our first flag and it is a base64 encoded text so we decided to decode it and now we have username and password
username : wavex
password : door+open
we know that port 22(SSH) is open so we think that these credentials may work.
command option : ssh firstname.lastname@example.org
Now we decided to go to /home directory to check for other users.
we found that two users are there wavex and aveng. So after exploring these two directories we couldn't find anything useful . and we also looked for the SUID binaries and other files too but failed in finding anything useful . So we decided to check for the writable directories by using the command : find / -writable -type d 2>/dev/null
so we found directory and we change our working directory to /usr/share/av/westsidesecret and in this directory we found a shell script and set its permission to executable and then execute it and now we have the password of user aveng.
Now we used these credentials to login as aveng.
Now by using the command : sudo -l we check for the user permission and this user has all the permission. so by typing sudo su we get the root access and by changing our directory to /root we get our FLAG2 .