TenderFoot Vulnhub Walkthrough

In this post, we are going to solve another Vunhub machine called TenderFoot. This another boot-2-root challenge you can download from Vulnhub.

Network Scanning

Let’s start with network scanning, discovering the target IP address.

sudo netdiscover
TenderFoot Vulnhub Walkthrough

Now we have the target machine IP address and our next step is scanning the machine IP and find out open ports and running services.

sudo nmap -A -p- 192.168.43.187

We have only two ports open target machine 22/SSH and 80/HTTP running Apache httpd service.

Enumeration

Let’s explore the IP in the browser.

TenderFoot Vulnhub Walkthrough

After navigating the target machine IP we saw the apache2 ubuntu web page and we see a hint we need to run the directory enumeration tool.

Let’s run the gobuster to discover server hidden files and web pages.

wordlist="/opt/seclists/Discovery/Web-Content/directiry-list-2.3-big.txt

gobuster dir -u http://192.168.43.187 -w $wordlist -x .php,.txt,.js,/,.html
TenderFoot Vulnhub Walkthrough

we found many hidden directors let’s open every director in the browser to find some useful information.

http://192.168.43.187/entry.js

http://192.168.43.187/fotocd

first, we open the entry.js in this web page we saw the name monica and next we open the fotocd directory here we found brainfuck encoded string.

TenderFoot Vulnhub Walkthrough

we decode brainfuck encoded string online at <sange.fi> and output give a hint for ssh login and here we found base64 encoded string let’s decode it.

and decode output is $99990$, Since we found a username monica let’s try to login with the ssh server using the credentials.

ssh [email protected]
TenderFoot Vulnhub Walkthrough

Now we log in with Monica user and target user home directory we found our first flag. let’s start enumerating finding some useful information.

ls
cat user1.txt |tail -n 9

Privilege Escalation

without wasting our time, we execute the find command to obtain a list of binaries that we have SUID permission.

find / -type f -perm -u=s 2>/dev/null

We found a custom made binary file let’s execute the command. and our current user is changed to chandler user.

/opt/exec/chandler
cd /home/chandler
ls -la
TenderFoot Vulnhub Walkthrough

We already login with chandler user but we haven’t much more permission, again we enumerate the target home directory and we found a base64 encoded key.

cd .cache/
ls
cat note.txt

we decode the key and we found another password, first, we try this password for root user login but we fail to login with the root user then we try this password for chandler and we successfully change our current user.

su chandler
sudo -l

again we check the sudo permission and our current user can run the FTP command with sudo permission, Let’s run the privilege escalation command.

sudo ftp
!/bin/bash
cd /root
ls
cat proof.txt

Money Heist link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →