Kuya: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

3 flags / root

Download

https://www.vulnhub.com/entry/kuya-1,283/

Walkthrough

nmap
alt text

default 80
alt text

default 80 sources…trolls
alt text

gobuster reveals some directories
alt text

wordpress is a wash
alt text

loot gives some images to investigate
alt text

steghide extract on the images gives some files, no password needed
alt text

secret.txt…troll
alt text

emb.txt…brainfuck
alt text

flag 1 is revealed
alt text

flag 1 base64 decoded
alt text

loot.pcapng reveals 7z file
alt text

export from pcap
alt text

7z file is password protected
alt text

let’s look at the contents, private key. nice
alt text

let’s brute force
alt text

using found password, it works
alt text

using the priv key, it seems it’s password protected
alt text

we brute force and find the password
alt text

with that we get a shell
alt text

flag 2 found
alt text

searching around, file date stands out in wordpress directory
alt text

wordpress config reveals db password
alt text

trying same password for kuya works
alt text

flag 3 revealed
alt text

checking .bash_history we find some special commands
alt text

after some googling, we verify what is found in .bash_history will work to read /etc/shadow
https://nxnjz.net/08/an-interesting-privilege-escalation-vector-getcap/
alt text

so many different tries for root after recovering files
alt text

turns out you just do the entire folder…root flag
alt text

Written on February 23, 2019
Share on: