boot2root machine for FIT and bsides guatemala CTF
This room involves ssh brute-forcing, using python payload for privilege escalation, and playing around with the permission that a low-privileged user has. This walkthrough is written as a part of the Masters's Certificate in CyberSecurity(Red team ) that I am pursuing from HackerU.
Running a nmap scan to list out all the open ports and services. We see that we have 2 open ports ( 22,80)
nmap -sS -sV -S <IP>
Now that we have port 80 open that means we must have a webpage.
It gave us a hint as rockyou.txt is a dictionary used for brute-forcing. So now we know that we might need to use brute-forcing somewhere.
Looking around saw a user by the name of meliodas which might be a username for ssh service which is running on port 22. Using hydra to brute force ssh using the wordlist rockyou.txt
hydra ssh://<IP> -l meliodas -P /usr/share/wordlists/rockyou.txt
We found the password for user meliodas , iloveyou1
Using the credentials to ssh into the machine.
Looking around and found the first flag i.e. user.txt
Checking for the permission we have
we see that user meliodas can run a specific file called bak.py using python. but when we try to run it, it gives an error
Checking the bak.py file we see that it is trying to work with a ZIP file but when I checked the file it was an empty zip file.
So I tried running a simple python oneliner for privileges escalation which would have worked easily but here we not allowed to run that command.
So instead of running this command explicitly in the terminal, I added it to the bak.py that we are allowed to execute. The bak file did not have write permissions do we have to delete the original bak.py file and create another file with the same name and add this payload in that file.
And VOILA!!! we can escalate to root privileges . One thing that we have to keep in mind is that we have to give the full path of both the python directory and the bak.py directory.
If you found this helpful consider leaving some claps :)