In this post, we are going to solve another Vunhub machine called TenderFoot. This another boot-2-root challenge you can download from Vulnhub.
Let’s start with network scanning, discovering the target IP address.
Now we have the target machine IP address and our next step is scanning the machine IP and find out open ports and running services.
sudo nmap -A -p- 192.168.43.187
We have only two ports open target machine 22/SSH and 80/HTTP running Apache httpd service.
Let’s explore the IP in the browser.
After navigating the target machine IP we saw the apache2 ubuntu web page and we see a hint we need to run the directory enumeration tool.
Let’s run the gobuster to discover server hidden files and web pages.
wordlist="/opt/seclists/Discovery/Web-Content/directiry-list-2.3-big.txt gobuster dir -u http://192.168.43.187 -w $wordlist -x .php,.txt,.js,/,.html
we found many hidden directors let’s open every director in the browser to find some useful information.
first, we open the entry.js in this web page we saw the name monica and next we open the fotocd directory here we found brainfuck encoded string.
we decode brainfuck encoded string online at <sange.fi> and output give a hint for ssh login and here we found base64 encoded string let’s decode it.
and decode output is $99990$, Since we found a username monica let’s try to login with the ssh server using the credentials.
Now we log in with Monica user and target user home directory we found our first flag. let’s start enumerating finding some useful information.
ls cat user1.txt |tail -n 9
without wasting our time, we execute the find command to obtain a list of binaries that we have SUID permission.
find / -type f -perm -u=s 2>/dev/null
We found a custom made binary file let’s execute the command. and our current user is changed to chandler user.
/opt/exec/chandler cd /home/chandler ls -la
We already login with chandler user but we haven’t much more permission, again we enumerate the target home directory and we found a base64 encoded key.
cd .cache/ ls cat note.txt
we decode the key and we found another password, first, we try this password for root user login but we fail to login with the root user then we try this password for chandler and we successfully change our current user.
su chandler sudo -l
again we check the sudo permission and our current user can run the FTP command with sudo permission, Let’s run the privilege escalation command.
sudo ftp !/bin/bash cd /root ls cat proof.txt