CengBox 2 Vulnhub Walkthrough

CengBox: 2 Vulnhub Walkthrough | CengBox 2 Vulnhub Writeup | CengBox 2 Vulnhub Walkthrough

Today we are solving another vulnhub CTF cengbox: 2 is make by Arslan this is boot to root challenge our goal is find root flag in the /root directory.

Description CengBox 2

Looks like Ceng Company has site maintenance but there might be something that still works. In this VM you may learn a few new things such as enumeration, CVE, privilege escalation, and more. You will need everything that you found. Also, you will have to check the differences and guess some things.

Network Scanning

Let’s start with netdisocover arp scanning finding our target IP Addres.

In my case my target IP address is our next step is scanning ports and running service using the -sV ( service and Version ) parameter

our network scanning is complete and nmap output shows the target machine three ports are open 21/FTP 22/SSH and 80/HTTP running Apache HTTP server


we start with port 21 FTP manual enumeration try some common username and password first try ftp username and blank password and we see login successful message and we run the dir command it show all directory and files present directory.

we download the note.txt file our local system using get the command after download the file we go to our local system and reading the note.txt file

this note.txt file show hints like Author name and virtual hosts name first we add the domain name our /etc/hosts file and point with target IP address.

we navigate the domain our browser and we see a maintenance page

After reading the page source code and directory traversal and try some directory brute-forcing tool we can’t find any useful directory and file then we run fuzzing tool wfuzz for fuzzing all subdomain our target using the command

and we found a subdomain admin.ceng-company.vm again we add this subdomain our /etc/hosts file and point to same IP address then we navigate the URL in browser and we see forbidden directory listing restriction

again we run the directory brute-forcing tool and we discover a useful directory /gila but changing the URL parameter

we found an Gila CMS panel front page

go to the admin page here we try some default password after 5-7 try we successful login with administrator account

Let’s move the file-manager page and here we see a tmp directory first we delete the .htaccess file then we upload our php reverse shell.

our php shell is uploaded target tmp directory our next step is staring our net-cat listener then execute our shell using the curl command

Privilege Escalation

now we have www-data shell target machine for privilege escalation we run the sudo -l command and we found a runphp.sh bash script our current user run the script with swartz user privileges without asking password of swartz user

after reading the runphp.sh script we sure this command is run php with extra parameter -a means ( interactive ) after run the script we have php console simple we can bypass the interactive shell using php pcnt_exec command executing method.

our shell is upgrade with extara privilege swartz user we run the id command and we see our current user add another group developers

for enumeration we move the second home directory the we run the ls -lsa command and grep the output only developers groups file now we have reading permission every file .ssh directory

we open the id_rsa ssh key mitnick user and save the key our local machine this ssh key is encrypted with password first we convert the into hash formate then we run the password bruteforcing tool john using big word-lists file rockyou.txt

After 35 second we successfully crack the ssh key and we found a valid password for Mitnick user for more enumeration we run the find command with extra parameter file type and group permission and we found one interesting file update-motd.d/oo-header

Privilege Escalation updatemotd

this is Ubuntu introduced automatic script updatemotd this script is autorun by root any user connect with ssh service our now we have permission to edit the script simply we add adding suid bits permission bash command in this script using echo append >> method

we already crack the ssh key password mitnick user after adding key permission we login with mitnick user and we got our first user flag

After login with mitnick user our script is automatic run by root and we successfully adding permission find command to we can identified the find command permission

let’s run the privilege escalation command

finally we have root access target machine move the /root directory and we got our root flag root.txt.

Tre: 1 Vulnhub Walkthrough link

2 thoughts on “CengBox 2 Vulnhub Walkthrough”

  1. Great walkthrough sir , very well put togehter
    I having problem on last part , have try add ‘echo “sudo chmod u+x /usr/bin/find” ‘ to motd.d file 00-header
    The command is taken , but still when I login as mitnick i no have root creds ?
    Hel[p please brother

    • please try this command echo “sudo chmod u+s /usr/bin/find” >> /etc/update-motd.d/00-header because we set SUID Bits permission not execute permission

Comments are closed.

Exit mobile version