Today we are going to take another boot2root challenge
known as “DC-4”. The credit for making this VM machine goes to “DCAU” and it is
another boot2root challenge in which our goal is to get root access to complete
the challenge. You can download it from here
Security Level: Beginner
Penetrating
Methodology
Scanning
Let’s start off with scanning the network to find our target.
netdiscover
Command option looks useful as It displayed some options to Run Command. Here we used list file option which displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.
So, we captured the Webpage request using Burpsuite and Send the request to repeater. Here we can make the desired changes to the request and check out its response.
Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.
Exploring the home directory for user Jim, after that we checked out the backups folder.
We have found a old-passwords.bak file which is a backup password file.
Exploring the contents of the file, we found a list of passwords. They might come in handy later.
We thought of checking /etc/passwds is readable or not and found some useful usernames.
We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.
hydra -L users -P passwords 192.168.1.101 ssh
So, the credentials found:
Username- jim
Password- jibril04
ssh jim@192.168.1.101
While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.
After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.
Privilege Escalation
Let’s login into charles with password ^xHhA&hvim0y.
su charles
After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that we have added raaj in the etc/passwd using echo and teehee as shown.
sudo -l
echo "raj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
Security Level: Beginner
Penetrating
Methodology
Scanning
·
Discovering
Targets IP
·
Network
scanning (Nmap)
Exploiting
·
Surfing
HTTP service port
·
HTTP Login
credential Bruteforce (Burpsuite)
·
Command Injection
·
SSH Login
Credentials Bruteforce (Hydra)
Lateral
Moment
·
Logging
into SSH and Enumerating Directories
·
Obtain credentials
in /var/mail directory
Privilege Escalation
·
Check Sudo rights
·
Adding new
user /etc/passwd with sudo
·
Access root
directory
·
Capture the
flag
WalkthroughScanning
Let’s start off with scanning the network to find our target.
netdiscover
We found our Targets IP
Address 192.168.1.101. Our next step is to scan our targets IP Address with
nmap.
nmap -A 192.168.1.101
Exploiting
From
nmap result we found HTTP service is running on port 80. So, we browsed the
Targets IP Address in the browser and found an Admin Information Security Login
page. We clearly need to find credentials for it. Let’s work on that.
We
found that the HTTP service runs on port 80, from nmap results. So, we browse
the IP address of Targets in the browser and found the Admin Information
Security Login page. Now credentials need to be found for login, Let's work on
this.
We Fired UP!! burpsuite
using rockyou.txt to get valid login.
Username- admin
After
bruteforcing, we have found the password for Admin i.e
Password- happy
Command option looks useful as It displayed some options to Run Command. Here we used list file option which displayed files of the database. We also got a hint from the ls command which executes ls-l, we might make some changes in it.
So, we captured the Webpage request using Burpsuite and Send the request to repeater. Here we can make the desired changes to the request and check out its response.
Let’s check out subdirectories in the /home directory. We have found 3 users i.e Charles, Jim and Sam.
Exploring the home directory for user Jim, after that we checked out the backups folder.
We have found a old-passwords.bak file which is a backup password file.
Exploring the contents of the file, we found a list of passwords. They might come in handy later.
We thought of checking /etc/passwds is readable or not and found some useful usernames.
We have created a dictionary for users and passwords with the previously discovered credentials. Let’s bruteforce for ssh login using hydra.
hydra -L users -P passwords 192.168.1.101 ssh
So, the credentials found:
Login-
jim
Password-
jibril04
Lateral Moment
Logging into ssh using the credentials.Username- jim
Password- jibril04
ssh jim@192.168.1.101
While enumeration, we found two files and read their contents. But they didn’t give direct clue to move ahead.
ls
cat
test.sh
cat
mbox
when I open mbox, I saw a test mail in
this, send by root to jim.
After some time thinking, it suddenly strikes us to check the /var/mail folder. Maybe it might contain something, and our instinct was right. We have found some credentials.
Username-
Charles
Password-
^xHhA&hvim0y
Privilege Escalation
Let’s login into charles with password ^xHhA&hvim0y.
su charles
After enumeration, we check sudo right for Charles and found that he run the editor teehee as root with no password. After that we have added raaj in the etc/passwd using echo and teehee as shown.
sudo -l
echo "raj::0:0:::/bin/bash" | sudo teehee -a /etc/passwd
Logging into raaj as root user and inside the root directory, we have found our FINAL FLAG.
su raaj
cd /root
ls
cat flag.txt
Author: Ashray Gupta is a Security Researcher and Technical Writer at Hacking Articles. Contributing his 3 years in the field of security as a Penetration Tester and Forensic Computer Analyst. Contact Here
0 comments:
Post a Comment