Vulnhub: BTRSys v2.1 Boot2Root VM

Introduction

We’re going to look at the excellent BTRSys VM created by @ismailonderkayaΒ and hosted by Vulnhub
This was a really interesting VM, covering the entire lifecycle from remote user to achieving root. Let’s begin!

Recon

First up we check out the target using NMap –

 

– which shows us that FTP, SSH and Apache are running on the box.
As always I’ll start by enumerating the HTTP service.

Nikto

Nikto shows that the attack surface here is reasonably limited but there is a WP installation there, so that’s a good place to start.

Dirb

Running a directory brute force scan with dirb highlighted a lot of other available directories mostly to do with WordPress, with one interesting one being named “upload”, but upon checking that in the browser it was a dead end.
Something to consider later if our opportunities dry up!
Moving on to the WP installation at http://192.168.56.105/wordpress, something in the style sheet is obviously broken –
After poking around for a while nothing of interest popped out so I started enumerating the wp-login.php page instead, and with minimal effort found a set of credentials which worked – admin:admin……

Web Shell

……Which takes us to the standard WP dashboard. This is always a good opportunity to get a shell on a box as there are typically PHP templates which you can modify to suit your needs under Appearance->Editor!
So we’ll do just that, modifying the search-results template to serve up Pentest-Monkey’s awesome PHP reverse shell –
All that’s left to do now is start a netcat listener with “nc -lvp 1111” and then search for some garbage value on the blog (I chose asdfasdf πŸ™‚ )
Great, we have a shell on the box running as www-data.

Endgame

At this point I did the normal things to check for privilege escalation bugs:
  • Download unix-privesc-check from the attacker machine
    • This was a no-go because strings wasn’t installed on the victim box
  • Run a few commands from unix-privesc-check which don’t require strings
    • Such as – find / -type f -perm -04000 2>/dev/null
    • Found nothing interesting here either
  • Poked around directories manually looking for things
    • Found nothing interesting here either!
Ultimately I got the kernel version using uname -a and found a popular exploit for that version (I used this one)
Next challenge was that the box didn’t have GCC installed, so I needed to compile it on my attacker machine (gcc sploit.c -o sploit ; cp sploit /var/www/html) and pull the compiled binary onto the victim machine with wget.
Β 
Running the exploit gave me root (no drama, crashes or loss of shells)

Conclusion

This was a great VM, there were a few red herrings along the way to keep things interesting (FTP server, ‘upload’ directory etc.)
Many thanks to the creator!

Add a Comment

Your email address will not be published. Required fields are marked *

I accept that my given data and my IP address is sent to a server in the USA only for the purpose of spam prevention through the Akismet program.More information on Akismet and GDPR.