Hey folks!! Today I’m going to solve another boot2root challenge HackSudo 1 created by vishal Waghmare. There is no description about this VM, but I’ll rate this VM as super easy. here is the link below to download the vm: https://www.vulnhub.com/entry/hacksudo-1,650/
1.) Target Discovery with netdiscover.
└─$ sudo netdiscover -i wlan0
With the help of netdiscover command I got the IP address of my target machine which is 192.168.1.7.
2.) Port Scanning and Service Detection With NMAP
Nmap result shows that there are three ports open. 2222, 80 and 8080. On port 2222 ssh is running. On port 80 a web server is running and on port 8080 apache tomcat is running.
3.) Web Enumeration
Lets hit the IP address on the browser to see the web application.
Well it seems like a normal web application, So for now I’ll move to the next port which is 8080.
On port 8080 Apache tomcat is running. I tried the default credential for apache tomcat which is tomcat:s3cret but I was not able to login.
4.) Initial Footholds
As I passed admin as user and admin as password I was successfully login.
As now I have access to Apache tomcat application manager, it’s time to upload a msfvenom generated war file reverse shell.
I generated a revershell.war file with msfvenom and uploaded it as you can see in the image below.
After that I started the msfconsole listener to listen on port 9999.
After starting the listener I clicked the application link on the web server and I got a quick meterpreter reverse shell.
5.) Privilege Escalation
To escalate the privilege I fired the find command to list the SUID bit binaries on the server and suddenly I saw that there is a time binary which has the SUID bit enabled.
With the help of time binary I got the root shell
Time to grab the root flag.