Open in app

Sign in

Write

Sign in

Infovore Walk-through

Sarthak joshi
3 min readAug 30, 2020

In this article we are going to solve another boot2root challenge, here we have a new machine Infovore. Here is the link where you can download this machine :- https://www.vulnhub.com/entry/infovore-1,496/

Target discovery with nmap

#nmap -sn 192.168.43.1/24

Service detection and port scanning with nmap

#nmap -vv -sV -p- 192.168.43.225

Now as we have only one open port i.e 80. Now its time for directory brute-forcing with dirb

#dirb http://192.168.43.225

We found two index one is in html format and another is in php formate.

Both index.html and index.php looks same.

As we found an index.php so I run wfuzz to fuzz some keywords on the index.php

# wfuzz -c -w /opt/wordlist/dirb/directory-list-2–3mediumt.txt -hw 382 -u http://192.168.43.225/index.php?FUZZ=/etc/passwd

Great we found a “filename” parameter on the index.php file ,i.e their is a LFI vulnerability . Lets try to include /etc/passwd file

Well we can, but after lot of thinking and searching i found a script to get RCE with phpinfo and LFI. To run this script i did some basic changes to get reverse shell.

Now we’ve changed the required things and its time for reverse shell. So i opened 443 port on my local machine to get reverse shell and as i run the exploit i got the reverse shell

After some enumeration i found a ssh key named as “.oldkeys.tgz” , So i simply transferred it to my local machine where we can crack the password .

we

Now we successfully transferred that file to out local machine and Its a tar file

# tar -xvf oldkeys.tgz

we found two files one is root and another one is root.pub

So i used ssh2john tool on the root file (you can get this tool from github)

# python ssh2john /root/Desktop/root >passwd

Now its time for password cracking with johnTheripper

#john -wordlist=/opt/wordlist/password/rockyou.txt passwd

Hurrray we found the root password ,i.e “choclate93" , Now we move further to get root privilege .

As you can see we are root now and we have to read the root.txt file located in our /root/ directory.

So we Successfully completed the boot2root challenge. I hope you’ve learned something from this.

--

--

Sarthak joshi

Written by Sarthak joshi

26 Followers

Penetration Tester, CTF player, Full time Learner and Part Time Blogger. Twitter :- https://twitter.com/Exploiter_21, Linked :- https://www.linkedin.com/in/sart

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams