Hack the Born2Root VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Born2Root. The credit for making this vm machine goes to “Hadi Mene” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at but you will have to find your own)


Use nmap for port enumeration.
nmap -sV

Nmap scan shows us port 80 is open, so we open the ip address in our browser.

Now the dirb scan shows us directories. We open the icons/ directory and find few files.

We use this key to login through ssh to the target machine we use the names we find on the page we first opened. First we change the permissions of the private key. Then we use it to connect through ssh.
chmod 600 id_rsa
ssh -i id_rsa martin@

When we connect it will ask for password just press enter, it is there for trolling.
Searching through the files we take a look at cron job.
cat /etc/crontab

We find that a file to called sekurity.py in the /tmp/ is to be executed every 5 minutes. But the file is missing from the folder. So we create a reverse shell of our own and save it as sekurity.py in the /tmp/ folder.

Now we set up our listener using netcat and wait for the cronjob to execute our file. Once the file is executed we get our reverse shell as a different user.

We use cupp to create a dictionary.

msf > use auxiliary/scanner/ssh/ssh_login
msf(ssh_login) > set rhosts
msf(ssh_login > set username hadi
msf(ssh_login > set pass_file hadi.txt
msf(ssh_login > run

Now once we enter the shell we spawn the terminal and use hadi’s password (‘hadi123’) to enter the root shell.
python -c “import pty; pty.spawn(‘/bin/bash’)”
su - root

Now that we are root we open the flag.txt and find a congratulatory message for completing the VM challenge.


Post a Comment