Open in app

Sign in

Write

Sign in

Hack the Basic Penetration VM (Boot2Root Challenge)

Cyber Goddess
4 min readOct 14, 2022

--

Today we are going to take another CTF challenge known as Basic Penetration. The credit for making this VM machine goes to “Josiah Pierce” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.

Security Level: Beginner

Penetrating Methodology:

1.Scanning

  • Netdiscover
  • NMAP

2.Enumeration

  • Web Directory search
  • Credential harvesting

3.Exploiting

  • Metasploit shell upload
  • sh

4.Privilege Escalation

  • Exploit Sudo rights

Walkthrough:

Scanning:

Let’s start off by scanning the network and identifying the host IP address. We can identify our host IP as 192.168.1.100 by using Netdiscover.

netdiscover

Then we used Nmap for port enumeration. We find that port 21(ftp), 22(ssh) and 80 are open on the target.

nmap -A 192.168.1.100

Enumeration:

As we can see port 80 is open, so we tried to open the IP address in our browser but we didn’t find anything on the webpage.

So we used dirb for directory enumeration.

dirb http://192.168.1.101

After bruteforcing with dirb we found a directory named /secret

Now we tried to open it in our browser. We came to know that the website is a WordPress site.

We tried to open the admin page 192.168.1.100/secret/wp-admin but it wouldn’t open and we got redirected to the URL which you can see in the screenshot

Then we added vtcsec to the hosts file.

Now we were able to access the admin page.

Exploiting:

We tried some basic credential combinations used in WordPress and found admin: admin was working for us.

Then we used Metasploit to upload admin shell into the target using the above credentials and wait for a meterpreter session.

use exploit/unix/webapp/wp_admin_shell_upload
set username admin
set password admin
set targeturi /secret/
set rhosts 192.168.1.100
run

We successfully got a meterpreter session.

We then uploaded LineEnum.sh script to check if password hashes are stored in /etc/passwd and also attempt to read restricted file i.e. /etc/shadow.

Here we can see the /etc/shadow has read-only permission.

After opening the /etc/shadow file we can see there is a user with the name marlinspike

We downloaded this shadow file into our local system and used John the Ripper to crack the password.

We found the password for the user marlinspike is marlinspike

Privilege Escalation

Now we log in as marlinspike.

We checked the sudoers list and found that we have all the access as root, so we did sudo as superuser.

Great! We have successfully completed our challenge as we able access the target as a root user.

su marlinspike
sudo –l
sudo su
id

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Ctf
Boot2root
Vulnhub
Taniya
Pentesting

--

--

Cyber Goddess
Cyber Goddess

Written by Cyber Goddess

6 Followers
1 Following

Cyber Security Researcher | Vlogger

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams