RootThis: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/rootthis-1,272/

Walkthrough

nmap
alt text

default 80
alt text

dirb, we find a backup file and drupal
alt text

backup file downloaded, it’s a zip file and password protected
throw it at zip2john for a hash to crack
alt text

we find the password and unzip the sql file
alt text

quick cat on the file reveals two usernames at the end of the file
alt text

search for webman in the file reveals a hash
alt text

throwing it at john we find a password
alt text

switching to drupal
alt text

login works
alt text

knowing drupal we need to enable php filter first
alt text

next create a basic page with our revshell code
alt text

ensure we change format to php
alt text

after setting up our listener and visiting the page, we have a reverse shell
alt text

quick search there is a user ‘user’ with a message in the home dir
alt text

searching around we’re stuck, nothing works. no tty, python, ssh, and no way to elevate
alt text

after some googles i came across socat from this post https://gtfobins.github.io/gtfobins/socat/

download socat to box using wget and make it executable
alt text

setup our socat listen on attacking machine
alt text

send our socat payload
alt text

and we connect as www-data, but we can su!
alt text

back to the message where it states root password is within the first 300 of rockyou
we put those to a file and…honestly i started from the bottom focusing on any with numbers
alt text

and…second guess worked :) root
alt text

Written on February 27, 2019
Share on: