Hack the BSides Vancouver:2018 VM (Boot2Root Challenge)

Hello friends! Today we are going to take another CTF challenge known as BSides Vancouver. The credit for making this vm machine goes to “Abatchy” and it is another capture the flag challenge in which our goal is to gain root access and capture the flag to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let’s start from getting to know the IP of VM  with help of netdiscover Command (Here, I have it at 192.168.1.103 but you will have to find your own). Now let’s move towards enumeration in context to identify running services and open of victim’s machine by using the most popular tool Nmap.

Awesome!! Nmap has done remarkable job by dumbing the details of services running on open port 21, 22 and 80.

Moreover the highlighted text is reveling following details:

  • FTP Anonymous login allowed
  • Found a directory /backup wordpress with help of txt

Without wasting time we accessed ftp service of victim’s system and found a user.txt.bk, let’s look into this file.

Its look like a text file with some username in it. Since port 22 is open so we can use these name for login into ssh if possible.

If you recall nmap result then it has shown /back_wordpress directory which we had explore in our web browser but Sadly we didn’t get anything from this web page although it sound for WordPress site which is also a good sing.

Now we decided to use command on the URL that we have entered in the browser. To check if there are any kind of vulnerable themes, plugins, username and etc.

The wpscan has enumerated the usernames where we have found the login credentials as admin and John.

Again we have used wpscan to find out the password credentials for the login credentials john. Here we have used following command to enumerate the password from the rockyou.txt file.

We see that for login credentials john, the password credentials matched is enigma.

After finding the username and password, we have used metasploit’s exploit wp_admin_shell_upload to upload the shell and get the meterpreter which is shown below.

use exploit/unix/webapp/wp_admin_shell_upload

msf exploit(unix/webapp/wp_admin_shell_upload) >set rhost 192.168.1.103

msf exploit(unix/webapp/wp_admin_shell_upload) >set targeturi /backup-wordpress

msf exploit(unix/webapp/wp_admin_shell_upload) >set username john

msf exploit(unix/webapp/wp_admin_shell_upload) >set password enigma

msf exploit(unix/webapp/wp_admin_shell_upload) >exploit

Great!! We had compromise confidentiality of the target’s system now penetrate more for completing this challenge.

We start penetrating targets machine and after 10-15 mints we came know about a cleanup file which has root privilege from inside contents of crontab file.

Then we downloaded cleanup file on our desktop so that we can modify it by editing our malicious code.

Using msfvenom we had generated a malicious python code by executing following command.

Then copy the highlighted code for editing into cleanup file.

We had paste above copied text as inside cleanup file as shown in below image. In a new terminal we had start netcat for listening reverse connection.

nc -lvp 9876

Now we had transfer our malicious cleanup file into current directory i.e. /usr/local/bin and verify it using cat command.

WOW we got reverse connection from victims system with root access now let’s catch the flag and finished the task.

id

cd /root

cat flag.txt

Solving challenge in this lab is not that much hectic therefore it is good task for beginners.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Leave a Reply

Your email address will not be published. Required fields are marked *