unknowndevice64 – Boot2Root CTF Write-Up

Intro

This will be a walkthrough of unknowndevice64, a boot2root CTF Virtual Machine available on VulnHub. Boot2root CTFs are a good platform to learn web application, network, and operating system penetration testing, all in one place. Many of these virtual machines will have vulnerabilities which can be found in real-life scenarios, thus educating you with the latest of attack methods.

Information Gathering

After setting up the virtual machine in VirtualBox, we need to discover its IP Address first. I assigned it to a host-only network in VirtualBox (192.168.56.0/24), so I ping scan that network to find the host using NMap.

NMap scan of the network

Here, 192.168.56.100 is the IP Address of the DHCP Server and 19.168.56.1 is the IP Address of my host machine. So I confirm the target’s IP to be 192.168.56.102. Next up, port scan.

Full port-scan of the target

This reveals an SSH Server on port 1337 and a HTTP Server on port 31337. Let’s enumerate the HTTP Server first.

Homepage of http://192.168.56.102:31337/

Nice homepage, I must say. Anyways, viewing the source gives us this.

HTML comment indicating a hidden file

I guessed it must be the name of a file present in the web root, and thus I try to visit it from my browser.

Image saying “hidden secrets”

Now “hidden secrets” indicates some sort of information hidden in the image itself. Also, the file name is “key_is_h1dd3n”, which indicates that a key is needed to view the secret information and the key is – “h1dd3n”. I fire up steghide and extract information using this key.

Hidden information in image

That looks like nonsense. Isn’t it? Anyhow, it is actually an esoteric programming language called BrainFuck. I look up an online interpreter for BF and copy-paste this program into it.

Output of the BF program

Okay. Generally, credentials consist of a username and a password separated by a colon. Now this output looks exactly like a username and password (ud64 – 1M!#64@ud). But where do I use this? Remember the SSH Server from earlier? This might be a login for the computer. So I try to login using SSH.

Escalating to a shell

SSH shell in the target

Sweet. Now we have a shell, but we immediately notice that this is not ‘bash’, the usual shell, but ‘rbash’, a restricted version of it. Restricted shells are given to people generally because they require shell access, but the system administrator decides to restrict them into executing only a few commands essential for their task. Now we need to know which commands are available to us.

Information gathering on a restricted shell

I am using ‘echo *’ as a workaround for ‘ls’, as ‘ls’ is restricted. I examine the PATH environment variable, which decides what commands I can execute. There is a folder called ‘prog’ in my home directory which contains the programs I am allowed to execute. I again use ‘echo’ to list the contents of the ‘prog’ directory, and determine that I can run the ‘vi’ editor.

Determining available commands

‘vi’ has a feature that allows you to execute arbitrary commands, thus it maybe helpful for breaking out of the restricted shell and getting a full shell. The key sequence to execute commands in ‘vi’ is: :!/bin/bash (colon, exclamatory mark, followed by the command you want to execute)

Getting an unrestricted shell

Cool! Now we have an unrestricted shell. The next step is to elevate privileges to that of root, and it’s game over!

Note: After breaking out of an unrestricted shell, you should set the PATH variable like I did above, so that you can access all the commands, instead of a limited subset.

Privilege Escalation

Okay, the first and most obvious thing to do is to determine what commands I can run as root.

Checking privileged commands

Okay, we can execute some command named ‘sysud64’. What is this?

When I tried the help menu for this command, I noticed that this command’s actual name is ‘strace’ from the help message. Now, ‘strace’ is a command that is used to debug other commands. More specifically, it is used to monitor all system calls that a specific command makes to the kernel while it is running. ‘strace’ achieves this by executing the program and printing out verbose information whenever the target makes a system call. I decide to make ‘strace’ run the bash shell as root. It immediately spews out an avalanche of text on my screen. Nevertheless, I’m sure that I already have a root shell!

Running strace on bash as root

Although I have successfully compromised the machine already, I need to create a backdoor command that will give me a root shell when I execute it, because the strace output is really annoying me. To achieve this, I copy over the ‘sh’ shell to ‘/tmp’, and set the SUID bit for the shell, which signals the operating system to execute the command as root regardless of who executes it.

Escalating privileges to root

Capturing the flag

The flag is at /root/flag.txt

The ‘flag’

Conclusion

This was an easy VM but was real fun to play with. Shoutout to Ajay Verma (https://ud64.com/) for making this VM!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.