A boot2root Linux machine utilising web exploits along with some common privilege escalation techniques. There are seven flags in this machine to discover. So lets Do it!!
We will start a nmap scan with the -sC for Default Scripts and -sV for Scanning Versions.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| 2048 e1:80:ec:1f:26:9e:32:eb:27:3f:26:ac:d2:37:ba:96 (RSA)
| 256 36:ff:70:11:05:8e:d4:50:7a:29:91:58:75:ac:2e:76 (ECDSA)
|_ 256 48:d2:3e:45:da:0c:f0:f6:65:4e:f9:78:97:37:aa:8a (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Jekyll v4.1.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
As I saw Port 80 is open I started a directory / Files Brute-forcing scan and along with that I visited the target web to enumerated manually.
ffuf -u http://<target-ip>/FUZZ -c -w /path/to/your/wordlist
And on the target website, we noticed that when we clicked on the image of the merchandise, it invokes the post.php file. We also saw that there is a parameter that is supposed to work with the php file. This was missing when we tried to run the php file directly hence we were not able to observe anything.
Anyhow, since we have a php file with a parameter it is an entry point where we can inject scripts or different values that could lead to execution on the server side if the input to that parameter is not filtered. One of the first things that we tried was a Local File Inclusion script. We were able to read the passwd file as depicted below.
Now we know that we have LFI here. Ok so first lets check what we get from directory / Files Fuzzing :
Here we can see that we have robots.txt, post.php. So lets visits the page /robots.txt and here what what we see :
we have two entries in robots.txt file :
So lets first get our First Flag here :
after that I tried to visit /secret_file_do_not_read.txt but we are not allowed to access that :
So That not the end , we have LFI which can help us to see that page.
and We see that there is the ftp data location as well as the credentials to access the FTP service.
We connect to the FTP service using the credentials that we just found. We then move over to look around for files that might be shared on FTP. We found a directory by the name of files and the flag2.
But notice that we have ‘/files’ directory which is writable! This means that we potentially could upload a reverse shell into the system. The only condition we have to fulfil is that we have to be able to execute the code. Since code in PHP files is executed directly on the server and because we already have obtained a Local File Inclusion (LFI) vulnerability to the server, we can execute our reverse shell on the server.
But before that lets get our 2nd Flag :
Now we got our 2nd Flag So Let’s start by putting the reverse shell on the server.
We use the php reverse shell that is located at the /usr/share/webshells/php/php-reverse-shell.php and edited it to add our VPN IP Address on it to get the shell back to our listener.
Now we have successfully uploaded our malicious files …move on quick and set up a listener on our attacking machine :
nc -nvlp <port_in_your_reevrse_shell>
Now browse to "
http://watcher.thm/post.php?post=/home/ftpuser/ftp/files/reverse.php” to activate your shell. and on the other side we have our shell :
Yupp !! we have shell but unstable lets make it stable and well behaving . Run the following commands to improve your shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo;fg
We land into the root directory, and decided to start enumerating for more flags from the /var/www/html directory. When we listed the contents of that directory, we found a directory with the name of more_secrets_a9f10a. After getting inside this directory, we found our third flag.
We tried to look around for more flags, but we are unable to access them, So in order to access them we need to start enumeration for elevating privileges to other users. We tried to enumerate the sudo permissions for the current user and found that we can run all commands as toby user.
And now we are toby.
move to /home/toby/ and cat the 4th flag.
From the above image we found a note.txt file. Reading the note.txt we see that there is a mention of the cronjobs. We investigate the cronjobs by reading the /etc/crontab file.
We found a shell script that is located inside the jobs directory named cow.sh. It gets executed as the user mat. We inspected the permissions on the cow.sh file to find that it is writable by the toby user. And one more thing that it is executing every minute. So I don’t care about what this script is doing , I just wan’t this script to do what we write inside it.
So I placed a reverse-connection-making-bash-one-liner inside it and started a listner on my other terminal as we did earlier ( but on different port ).
And After 1 minute we have a connection from user mat.
Now I moved mat’s home directory and listed the contents of the home directory . We found a note, a directory named scripts and the flag 5.
Lets cat out the 5th flag first.
Now I cat out the content of the note.txt and As a system user I used ‘sudo -l’ again and found :
Here note the ‘*’ Star symbol at the last of the script name in the above image.
We can abuse this misconfiguration to elevate our privs . I am going to use the following command for this job :
sudo -u will /usr/bin/python3 /home/mat/scripts/will_script.py bash
And Bling !! Now we are user — ‘Will’ So move to will’s home directory and cat out the 6th flag :
Note from the above image that this time there is no note.txt or any other weird thing in our directory.
So lets move and do some more enumeration manually. ….
After enumerating for about 5 minutes , I found that there is a file named ‘keys.b64’ in the /opt/backups directory . The content of file “keys.b64” was encoded in base64. So lets Doecode it :
After Decoding it turns out to be the private key that can be used to gain access on the target machine through the SSH service. So copy the content of decoded file and paste it on your machine inside a file called id_rsa and Don’t forget to give readable permissions to use to connect to SSH.
Use the following command to give needed permissions to the private key:
chmod 600 id_rsa
And use the following command to use this key to login via SSH :
ssh -i id_rsa root@<target-ip>
Now change directory to /root directory and cat out the 7th Flag :