BootToBeRoot: CTF walkthrough
First of all we get the IP address of the VM.
Then we can scan the target to find open ports:
The RPC service don't give us useful information, so that's gonna be a web CTF.
After a quick directory enumeration with the gobuster tool we can find two interesting folder: files and icons
The first is empty, so useless:
But, fortunately for us, the second folder contains a weird txt file named VDSoyuAXiO.txt:
This is more than a simple txt file, it's a private key. Private key that we will use to log in the server via SSH.
Note, we can find a list of potential user in the home page of the website:
Hadi M and
First of all we have to change the permission of this private key if we want to use it.
Then we have to find with which user we can use this private key.
Apparently it's with Martin but an extra password is required.
The creator made a mistake or something like that because regardless of the password you enter it's always working. The Python script:
From Martin to Jimmy
After some research we can find a mistake in the /etc/crontab file. The user Jimmy execute a python script without any security check. We simple have to create a python script named sekurity.py and it will be executed by Jimmy.
We can create this simple python reverse shell:
After few minutes we successfully have a shell with Jimmy's privilege.
From jimmy to root
In the Jimmy's home folder we can find the networker binary who apparently execute few network commands. The interesting thing about this binary is that he will be executed with root privilege, so if we find a way to makes this binary execute arbitrary commands we will probably gain root privileges.
Let's check if system commands with relative path are used by this binary:
The echo command looks like a good choice for us. Let's create a binary named echo.
Now, we can download with nc the binary. Note, curl and wget are restricted and unusable.
Finally we change the PATH environment variable and we will be good to go.
Unfortunately for us, the creator made another mistake with this binary and we are not able to exploit this vulnerability in the networker binary.