This will be a walkthrough of unknowndevice64, a boot2root CTF Virtual Machine available on VulnHub. Boot2root CTFs are a good platform to learn web application, network, and operating system penetration testing, all in one place. Many of these virtual machines will have vulnerabilities which can be found in real-life scenarios, thus educating you with the latest of attack methods.
After setting up the virtual machine in VirtualBox, we need to discover its IP Address first. I assigned it to a host-only network in VirtualBox (192.168.56.0/24), so I ping scan that network to find the host using NMap.
Here, 192.168.56.100 is the IP Address of the DHCP Server and 220.127.116.11 is the IP Address of my host machine. So I confirm the target’s IP to be 192.168.56.102. Next up, port scan.
This reveals an SSH Server on port 1337 and a HTTP Server on port 31337. Let’s enumerate the HTTP Server first.
Nice homepage, I must say. Anyways, viewing the source gives us this.
I guessed it must be the name of a file present in the web root, and thus I try to visit it from my browser.
Now “hidden secrets” indicates some sort of information hidden in the image itself. Also, the file name is “key_is_h1dd3n”, which indicates that a key is needed to view the secret information and the key is – “h1dd3n”. I fire up steghide and extract information using this key.
That looks like nonsense. Isn’t it? Anyhow, it is actually an esoteric programming language called BrainFuck. I look up an online interpreter for BF and copy-paste this program into it.
Okay. Generally, credentials consist of a username and a password separated by a colon. Now this output looks exactly like a username and password (ud64 – 1M!#64@ud). But where do I use this? Remember the SSH Server from earlier? This might be a login for the computer. So I try to login using SSH.
Escalating to a shell
Sweet. Now we have a shell, but we immediately notice that this is not ‘bash’, the usual shell, but ‘rbash’, a restricted version of it. Restricted shells are given to people generally because they require shell access, but the system administrator decides to restrict them into executing only a few commands essential for their task. Now we need to know which commands are available to us.
I am using ‘echo *’ as a workaround for ‘ls’, as ‘ls’ is restricted. I examine the PATH environment variable, which decides what commands I can execute. There is a folder called ‘prog’ in my home directory which contains the programs I am allowed to execute. I again use ‘echo’ to list the contents of the ‘prog’ directory, and determine that I can run the ‘vi’ editor.
‘vi’ has a feature that allows you to execute arbitrary commands, thus it maybe helpful for breaking out of the restricted shell and getting a full shell. The key sequence to execute commands in ‘vi’ is: :!/bin/bash (colon, exclamatory mark, followed by the command you want to execute)
Cool! Now we have an unrestricted shell. The next step is to elevate privileges to that of root, and it’s game over!
Note: After breaking out of an unrestricted shell, you should set the PATH variable like I did above, so that you can access all the commands, instead of a limited subset.
Okay, the first and most obvious thing to do is to determine what commands I can run as root.
Okay, we can execute some command named ‘sysud64’. What is this?
When I tried the help menu for this command, I noticed that this command’s actual name is ‘strace’ from the help message. Now, ‘strace’ is a command that is used to debug other commands. More specifically, it is used to monitor all system calls that a specific command makes to the kernel while it is running. ‘strace’ achieves this by executing the program and printing out verbose information whenever the target makes a system call. I decide to make ‘strace’ run the bash shell as root. It immediately spews out an avalanche of text on my screen. Nevertheless, I’m sure that I already have a root shell!
Although I have successfully compromised the machine already, I need to create a backdoor command that will give me a root shell when I execute it, because the strace output is really annoying me. To achieve this, I copy over the ‘sh’ shell to ‘/tmp’, and set the SUID bit for the shell, which signals the operating system to execute the command as root regardless of who executes it.
Capturing the flag
The flag is at /root/flag.txt
This was an easy VM but was real fun to play with. Shoutout to Ajay Verma (https://ud64.com/) for making this VM!