Beast 2: Vulnhub Walkthorugh

Today we are going to take another CTF challenge Beast:2. The credit for making this VM machine goes to “Avraham Cohen” and it is a boot2root challenge where we have to root the server and capture the flag to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1.      Scanning

·         NMAP

2.      Enumeration

·         Wireshark

3.      Exploitation

·         SSH

4.      Privilege Escalation

·         Exploiting Suid rights

Walkthrough:

Scanning:

Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.102 automatically from our local wifi network.

Then as usual we used our favorite tool Nmap for port scanning. We found that ssh is open and running two ports 22 and 65022.

nmap  -p- -A 192.168.1.102

We tried to ssh the target with port 65022 and found.  It working but we don’t have the username and password yet.

So our next step is to hunt the ssh username and password

Enumeration:

All we have got is ssh service enabled on the target machine and nothing else. So what we did is we started to capture traffic of the target machine using wireshark.

We tried different filters and found something useful with udp filter.

ip.addr==192.168.1.102 && udp

We checked with udp stream and two words got our attention whiteshark & whitepointer which could be the usernames for ssh.

In another captured data packet we found the password Ch@ndr!chthye$.

Exploitation:

So far we probably have got two usernames and one password.

We tried to ssh the target with both the usernames one by one but whitepointer & Ch@ndr!chthye$ combination worked for us and we were successfully able to login the target system.

After logging in we checked for sudo rights but the user was not a sudoer.

We also checked for the suid rights for any file and found  /usr/bin/root has suid set.

ssh whitepointer@192.168.1.102 -p 65022

find / -perm -u=s  -type  f 2 >/dev/null

Privilege Escalation:

To elevate to the root shell we will exploit the suid permissions of the /usr/bin/root file. Using the strings command  we found  root file is actually running the whoami command.

We used the path variable methodology to exploit the privileges of the root file. What we did is we created a new file named whoami indside /tmp directory and put /bin/bash inside it using echo command, then gave all privileges to it. We then exported the path.

To know more about Path Variable check our article on the same HERE

So after that once we executed the /usr/bin/root file we successfully got the root shell and then also the flag.txt as anticipated.

Cd /tmp

echo “/bin/bash” > whoami

chmod 777

export PATH=/tmp:$PATH

/usr/bin/root

Cd /root

Cat flag.txt