This VM, provided by VulnHub

Hello there , here I am again solving an old boot2root vulnerable Vm from VulnHub.

Before going further let me tell you that there are more than one way to get root on this vm, latter on we see one of them.

So as always, first thing I have to do is to find the IP address of that system by using netdiscover. After that i fire up nmap to find open ports and services running on that system.

As you can see only port 33447 is open and it runs an apache server, lets navigate to that IP and see whats in there also nmap has find the /Challenge path.

Ok, a login form which can be tasted for SQLi, but first  I want to do a directory fuzzing to see if there is any other interested path, and the tool I’m use for that is Dirb

New directories found, after navigate to them I found 2 interested paths ( include and cake ) but I stick to the cake one and here is why

If you watch the title is says /Magic_Box, it looks like a directory right ? so lets fuzzing some more on that directory and see what comes

Two new directories found low.php and command.php lets try the obvious one (command.php) wich is vulnerable to RCE

I’ve tried different things to get a shell on the box but everything fails, there is no wget installed on that box, I cannot pass a netcat also and cannot execute one line shells (dunno why :/ ). So i was thinking how I can exploit that vulnerability to get system access. After looking on google and try more things without success, a tutorial from a friend it come to my mind, it was about metasploits web_deliver script, I had nothing to loose by giving it a try, and actually it works.

Here i notice one more thing, if you select all the content on the page by using ( ctrl + A ) you will be able to see the result on the page which is hidden.

Ok, now I have a meterpreter shell on the box and its time for some enumeration and privileges escalation . Fist I want  find out what I am against off.

There is a Ubuntu 15.04 system and as far I remember there is a local exploit for that

Tried to use that exploit but failed. So I had to dig around for any tip that can help me root the system. Navigate to different directories until I notice a “weird” one (s.bin)

There is a file in there with the name investigate.php and if you read it says that we have to behave like investigator

Sooo, more digging on the system and I find MySQL credentials and dump the database

Aaaand more digging, until the time I went back to the first Tip (investigator.php)

Looking around on almost every directory on the root path and finding the one I need it. It was a subfolder with the name raw_vs_isi in the sbin folder and there is a pcap file which looks promising. I will download and analyze that file

If we follow the first TCP Stream will get the below results. There is some things that looks interesting like: saman, 1337hax0r  it would be a username and password, and I remember the word 1337hax0r almost everywhere on the website.

 

Final after using the findings of the pcap file,  I got root access on the box

That’s it for one more time.

It was a really fun Vm with a lot of fuzzing I have to commit, it confuse me on some parts of it but its fine, I had a great time playing that VM.

Thanks to VulnHub for hosting those kind of VM’s