This is an entry level boot2root web-based challenge.
Download link: HerePrerequisite
- VMWare
- Kali Linux Machine
- CTF Machine
- Network Adapter will be NAT for both machines
Steps:
- Information gathering
As we know that the target machine is on our network, so we start the scanning over the network using netdiscovercommand.
As we got to know the target’s ip address, we searched for open ports
and services/OS running on the IP address. This can be achieved by the nmap tool.
Press enter or click to view image in full size
Here we got to know that certain services are running on open ports i.e. 21, 22 and 80.
Press enter or click to view image in full size
Let’s open “ftp://victim's_ip_address" in the browser. Here we found a file “user.txt.bk” in public directory. This file contains some usernames.
Press enter or click to view image in full size
Press enter or click to view image in full size
As we know that port 22 is for ssh (remote login), so those user names can be used to remote login on the server.
Get Sargam Dhaliwal’s stories in your inbox
Join Medium for free to get updates from this writer.
Let’s come back to another finding “/back_wordpress” directory. Opened this in the web browser, but didn’t get anything. Now we are sure it is a Wordpress website.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
So Let’s find out different kind of vulnerabilities using the wpscan tool. Here we got two usernames “admin, john”. To find out the password for user “john” we again use “wpscan” tool with “rockyou.txt” as wordlist. From this, we got the login credentials i.e. login: john and password: enigma.
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
We used another tool to brute force password i.e. hydra. But did not get any juicy information.
Press enter or click to view image in full size
- Attacking and Gaining Access
We have used these credentials to login in WordPress website. To gain the meterpreter access, we have used metasploit’s exploit “reverse_tcp”. To generate the malicious payload we have used “msfvenom” tool.
Press enter or click to view image in full size
This generated payload will be executed via the 404.php page.
http://victim_ip/backup_wordpress/wp-content/themes/twentysixteen/404.phpPress enter or click to view image in full size
After getting tcp reverse connect, we have interacted with it by running “sessions 1” command. Now a shell connection has created and executed below commands to get the terminal of the target machine.
meterpreter>shellpython -c ‘import pty;pty.spawn(“/bin/sh”)’
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
- Privilege Escalation
Now we got the terminal access. Remember the username list found in public directory. We have used this list to switch the account.
$su annepwd: princess
Now we will make user “anne” root by using below command:
$sudo suNow list down the file in root directory. Here, we found a file flag.txt. Let’s open it. Finally, we captured the flag to be collected ❤.
Press enter or click to view image in full size
