Jordan Infosec CTF 1 Boot to Root VM Walkthrough

Introduction

Sorry for the long delay in posting – life got a little busy over the past month or two. Today I’ll be posting my write up of how to compromise the excellent Jordan Infosec CTF 1 VM created by @Banyrock

This VM is more at the CTF end of the spectrum than a traditional Boot to Root, but that’s ok 🙂

Let’s get to it!

Host identification and Port Mapping

Let’s start by finding out which host on my network the VM lives on:

192.168.56.101 it is then 🙂 Let’s see what’s running on that host:

Another tiny attack surface, then. SSH and an Apache server! A few interesting things are disallowed in the robots.txt file, including a “/flag”.. Sounds like our first flag!

HTTP Server

Navigating to the website’s homepage yields this form:

Nothing in the HTML gives anything away either and the form isn’t vulnerable to SQLi / didn’t fold under a quick brute force. Let’s see what /robots.txt contains:

Loads of interesting stuff here. Let’s go and take a look at /flag and hopefully get our first flag:

As expected, our first flag.. too easy! Now we manually enumerate all of the other endpoints referenced in the robots.txt file.

/backup, /admin, /r00t, /uploads all yield a 404 error, /uploaded_files yields a blank screen but /admin_area gives us something interesting in the HTML:

How convenient… The credentials were hiding in the HTML. Along with our second flag file 🙂

Let’s chuck those credentials into the login page and start looking for our third flag.

Post-Login

After logging in we see a file upload page. Let’s see if we can upload a web shell and get our first shell on the box.

First step, create the shell:

Second step, upload the shell.

Third step, start the meterpreter listener.

Fourth step, navigate to /uploads

Fifth step, shell!

Now’s the hard bit, escalating from where we are to root.

Privesc

With our new fancy shell, running “ls” in the root of the web directory shows a file named “hint.txt”. Catting that file yields this output:

So that’s good news, we have another flag and a hint for where to find the next user!

After…50?… greps and finds where I tried to look in only hidden files I eventually gave up and grep’d the entire disk for a file containing “technawi”:

Line 3 looks interesting! Not a hidden file though, so my initial attempts to only find hidden files didn’t work :@

Credentials.txt contains:

Yey! Now we can ssh in and get the next (final?) flag!

After SSHing in as technawi and catting /var/www/html/flag.txt we get:

Done!

Conclusion

Great VM. Really good fun, quite straight forward to compromise. The hardest bit was finding technawi’s credentials, but it was worth the perseverance!

Add a Comment

Your email address will not be published. Required fields are marked *