Today we are going to take another CTF challenge Beast:2. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.
Security Level: Beginner
- Privilege Escalation
- Exploiting Suid rights
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.
Then, as usual, we used our favourite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.
nmap -p- -A 192.168.1.102
We tried to ssh the target with port 65022 and found. It working but we don’t have the username and password yet.
So our next step is to hunt the ssh username and password
All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using Wireshark.
We tried different filters and found something useful with UDP filter.
ip.addr==192.168.1.102 && udp
We checked with UDP stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.
In another captured data packet we found the password [email protected]!chthye$.
So far we probably have got two usernames and one password.
We tried to ssh the target with both the usernames one by one but whitepointer & [email protected]!chthye$ combination worked for us and we were successfully able to login the target system.
After logging in we checked for sudo rights but the user was not a sudoer.
We also checked for the suid rights for any file and found /usr/bin/root has suid set.
ssh email@example.com -p 65022
find / -perm -u=s -type f 2>/dev/null
To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command we found root file is actually running the whoami command.
We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami inside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.
To know more about Path Variable check our article on the same HERE
So after that, once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.
echo "/bin/bash" > whoami
chmod 777 whoami
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here