Today we are going to take
another CTF challenge Minu:v2. The credit for making this VM machine goes to
“8bitsec” and it is a boot2root challenge where we have to root the server and
capture the flag to complete the challenge. You can download this VM here.
Security Level: Beginner
Penetrating Methodology:
1. Scanning
·
Netdiscover
·
NMAP
2.
Enumeration
·
Web
Directory search
3.
Exploitation
·
Command
Injection
·
SSH
4.
Privilege Escalation
·
Exploiting
Suid rights
Walkthrough:
Scanning:
Let’s
start of by scanning the network and identifying host IP address. We can
identify our host IP as 192.168.1.101 by
using Netdiscover.
netdiscover
Then as usual we used our favorite tool Nmap for port enumeration. We found that port 22 and 3306 are
open.
And we observed that on port 3306 http service was
running.
nmap -A 192.168.1.101
Enumeration:
We found nothing useful on the
index page so we used dirb for brute forcing and found one directory
with .html extension.
We tried to access the url
and found that it is an upload page and accepts only .svg files as input.
So we took help of the
google to find any script in svg format
which we can utilize for command injection.
After doing some research we found on such script in which
we are injecting /etc/passwd command. We copied the script and saved it
as .svg file.
Exploitation:
We
tried to upload the script file and it got successfully uploaded. And after
uploading we checked for the page source and got the output of /etc/passwd file.
We
came to know that the target has multiple users like employee, chrony, nobody etc.
We thought of exploring other commands using the same
script.
Since the target machine is using the /bin/ash shell,
we thought of checking the shell history in the /.ash_history directory
by editing the script file.
After editing we uploaded the file and got some useful
information from the history file, which gave us a username and a password.
So we tried to ssh the target machine with username employee
and a password superultrapass3 which we got above and were successfully
able to login.
After logging in we checked for the suid permissions for
privilege escalation and got one file with name micro which came out to
be an editor tool.
find / -perm -u=s -type f 2>/dev/null
/usr/bin/micro
Privilege Escalation:
We tried to pipe
the contents of /etc/passwd file into macro editor where we can edit or add new
users with root privileges
Cat /etc/passwd |
/usr/bin/micro
We created the password for the new user using openssl tool.
Openssl passwd -1 -salt user3 pass123
After that we added the new user test and hashed password
with root privileges into the /etc/passwd file and saved it.
Once we had a user with root privileges we switched to that
user and successfully got the shell with root shell and eventually got
the flag.
su test
Id
cd /root
cat flag.txt
0 comments:
Post a Comment