Silky-CTF: 0x01

[ vulnhub  boot2root  walkthrough  ]

Goal

root

Download

https://www.vulnhub.com/entry/silky-ctf-0x01,306/

Walkthrough

nmap
alt text

default 80, gives administrator’s username ‘silky’
alt text

robots reveals notes.txt
alt text

notes is in german

alt text

translation reveals there is a password listed with the last two characters missing
alt text

checking burp there is a script.js file called that reveals the partial password
alt text

build a password list using crunch. too lazy to figure out better method so i manually append all the combinations to a single file. this is a snippet of commands run
alt text

hydra reveals password
alt text

ssh and we’re in
alt text

bash history reveals some interesting info
alt text

sky suid file looks like the right way for priv esc
alt text

checking translation , it’s nothing special. what’s the root part though?
alt text

strings reveals the program calls whoami
alt text

bash history also had a line for PATH. using that we can create a symbolic link and get root
alt text

root flag
alt text

Written on May 21, 2019
Share on: