Another fun looking boot2root vulnhub VM that came out in in last months large batch release! This one is supposedly inspired by the author failing the first OSCP attempt (maybe it will offer clues so I won’t meet a similar fate later this month?).
Let’s start off with the usual scan to confirm the target’s IP assigned on the network.
nmap 192.168.111.0/24 -sP
No more messing around with quick host/service enumeration scans. We’ll go straight for an all available port scan this time to make sure nothing is missed.
nmap 192.168.111.100 -O -sV -p- -T4
Let’s kick things off by going to the webserver in a browser.
Within the main page there are only two clickable (broken) links:
I probed through the source for the page a little bit and found:
- A hamburger (mobile) menu button PNG encoded in base64 (unsure why)
- A path reference to “../../../../../libs/templates/silex-templates/online-service/assets/background_header.jpg”. May be nothing but it might possible to breakout and travel up directories?
I played with both for a while but they seemed to be a dead end.
Time to fire up dirbuster to see what we can enumerate outside of the main index.html (probably at least some sort of admin page for MySQL). Using the built in wordlist of /usr/share/dirbuster/directory-list-2.3-medium.txt I did a recursive scan of directories:
Lots of possibilities here to take a look at but let’s start with the phpmyadmin login page:
I tried a variety of combinations (admin/admin, admin/[blank], some SQL injection attempts, but other than getting an error when entering a blank password I kept seeing the above failure instead of the standard “invalid login/password” message. Let’s check around elsewhere to see if we can find clues on the possible username/password.
Looking at http://192.168.111.100/wp yielded an empty directory listing, but /wordpress/ gave me an actual site:
I tried “togie” in multiple combinations on the admin login page but no luck there. I tried SQL injection again this time with the search function on the /wordpress/ site, but no luck there either. There was a comment on the main blog entry by “Admin”, but I didn’t find anything else of note here.
Let’s take a break from php for now and take a look at some of the other available services. I don’t often see IRC servers running so let’s try connecting to that and see if there is any interesting recent post history.
I was able to successfully connect to the service, but there are no active channels. I do get the current version of “InspIRCd-2.0” so it’s possible at this point we could search for IRC server exploits, but let’s move on to the other services.
Let’s check SAMBA for any possible open shares. Trying smb://192.168.111.100/ gets me in just fine with anonymous credentials and I’m able to navigate to /share$/ and view the following contents which look suspiciously similar to the webserver contents we found in dirbuster:
Looking at “deets.txt” we get a password!
Let’s try it with the phpmyadmin site…both “admin” and “togie” unfortunately failed. There’s an SSH server running, so let’s try that instead?
That worked! Do I see sudo privileges?
Sure do! There’s my root flag.