TenderFoot Vulnhub Walkthrough

In this post, we are going to solve another Vunhub machine called TenderFoot. This another boot-2-root challenge you can download from Vulnhub.

Network Scanning

Let’s start with network scanning, discovering the target IP address.

TenderFoot Vulnhub Walkthrough

Now we have the target machine IP address and our next step is scanning the machine IP and find out open ports and running services.

We have only two ports open target machine 22/SSH and 80/HTTP running Apache httpd service.

Enumeration

Let’s explore the IP in the browser.

TenderFoot Vulnhub Walkthrough

After navigating the target machine IP we saw the apache2 ubuntu web page and we see a hint we need to run the directory enumeration tool.

Let’s run the gobuster to discover server hidden files and web pages.

TenderFoot Vulnhub Walkthrough

we found many hidden directors let’s open every director in the browser to find some useful information.

first, we open the entry.js in this web page we saw the name monica and next we open the fotocd directory here we found brainfuck encoded string.

TenderFoot Vulnhub Walkthrough

we decode brainfuck encoded string online at <sange.fi> and output give a hint for ssh login and here we found base64 encoded string let’s decode it.

and decode output is $99990$, Since we found a username monica let’s try to login with the ssh server using the credentials.

TenderFoot Vulnhub Walkthrough

Now we log in with Monica user and target user home directory we found our first flag. let’s start enumerating finding some useful information.

Privilege Escalation

without wasting our time, we execute the find command to obtain a list of binaries that we have SUID permission.

We found a custom made binary file let’s execute the command. and our current user is changed to chandler user.

TenderFoot Vulnhub Walkthrough

We already login with chandler user but we haven’t much more permission, again we enumerate the target home directory and we found a base64 encoded key.

we decode the key and we found another password, first, we try this password for root user login but we fail to login with the root user then we try this password for chandler and we successfully change our current user.

again we check the sudo permission and our current user can run the FTP command with sudo permission, Let’s run the privilege escalation command.

Money Heist Vulnhub Walkthrough link