Today we are going to solve another boot2root challenge called “Pwned: 1”. It’s available at Vulnhub for penetration testing. This is an easy level lab. The credit for making this lab goes to Ajs Walker. Let’s get started and learn how to successfully break it down.

Level: Easy

Since these labs are available on the Vulnhub website so we will download the lab file from here.

Penetration Testing Methodology

Recognition

• Netdiscover
• Nmap

Enumeration

• Gobuster

Exploiting

• Obtaining SSH private key backup

Privilege Escalation

• Abuse of sysadmin script.
• Abuse of Docker Group privileges
• Capture the flag

Walkthrough

Recognition

As always, we identify the host’s IP with the “Netdiscover” tool:

netdiscover

Now start by listing all the TCP ports with the help of Nmap.

nmap –sV -sC -P- 192.168.10.192

To work more comfortably, I’ll put the IP address in /etc/hosts.

Enumeration

Now, we have entered the web service and found information about the hacker “Annlynn” in the body and commented lines of the source code.

We have used Gobuster with a medium directory dictionary, indicating the typical extensions.

We will access the directory “/hidden_text” and will find a file named as “secret.dic“, this contains a directory listing.  

After checking with Gobuster, we saw that only the directory “/pwned.vuln” is available.

Exploiting (user “Ariana”)

We found an administration panel exposed, after trying the typical passwords to try to access and not succeed, we went to check the source code and found that there is a condition in PHP with some credentials. The user already gave us the clue for which service to use (FTP).

We connect to the FTP service with the obtained credentials, we find an SSH private key for the user “Ariana” and a note.

Now we have changed the permissions to the file “id_rsa” and connect through SSH with the user “Ariana“. Once inside, we can read the first flag.

Privilege Escalation (user “Selena”)

We execute the command “sudo -l“, evidencing that we are able to execute a script called “messenger.sh” as the user “selena”. If we check the code, we can verify that it executes the information in “$msg 2> /dev/null“. Given this, we could insert a “/bin/bash” so that it raises a shell with the user we have previously indicated in the script.

We start the script…

We indicate the user “selena“, type “/bin/bash”… That’s right! We have obtained a shell with this user, we read the 2nd flag.

Privilege Escalation (root)

We type “id” and list that we belong to the group “Docker“, then we check the docker images that we have available and execute the command that will allow us to escalate privileges with a shell as root.  

Finally, we will read the flag.

docker run -v /:/mnt --rm -it privesc chroot /mnt sh

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.