CTF Challenges

Beast 2: Vulnhub Walkthrough

Today we are going to take another CTF challenge Beast:2. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

  1. Scanning
  • NMAP
  1. Enumeration
  • Wireshark
  1. Exploitation
  • SSH
  1. Privilege Escalation
  • Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then, as usual, we used our favourite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.

nmap -p- -A 192.168.1.102

We tried to ssh the target with port 65022 and found.  It working but we don’t have the username and password yet.

So our next step is to hunt the ssh username and password

Enumeration:

All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using Wireshark.

We tried different filters and found something useful with UDP filter.

ip.addr==192.168.1.102 && udp

 

We checked with UDP stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.

In another captured data packet we found the password Ch@ndr!chthye$.

Exploitation:

So far we probably have got two usernames and one password.

We tried to ssh the target with both the usernames one by one but whitepointer & Ch@ndr!chthye$ combination worked for us and we were successfully able to login the target system.

After logging in we checked for sudo rights but the user was not a sudoer.

We also checked for the suid rights for any file and found  /usr/bin/root has suid set.

ssh whitepointer@192.168.1.102 -p 65022
find / -perm -u=s -type  f 2>/dev/null

Privilege Escalation:

To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command we found root file is actually running the whoami command.

We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami inside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.

To know more about Path Variable check our article on the same HERE

So after that, once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.

cd /tmp
echo "/bin/bash" > whoami
chmod 777 whoami
export PATH=/tmp:$PATH
/usr/bin/root
cd /root
cat flag.txt

Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here