boot2root/CTF

Walkthrough for xerxes: 1


You’re probably here because you want to know about the awesome boot2root xerxes:1, correct? This was a vulnhub challenge created by @barrebas, and was excellent! So let’s get started. I found the VM sitting on 192.168.56.102 – a quick nmap scan provided a list of available services:

2
A close look at the web service was next on the list via browser, leads us to the default web page for Apache. Running Dirbuster, we find a directory called dev which contains a file upload form:

3


We need a password before we can attempt to attack the file upload function. Clicking forgot password? give us a QR code:

4


This decodes to a base64 string, which decodes to ASCII text:

5

Taking another look at the QR image, we can see there are abnormal pixels in the top left-hand corner:

6


Removing all layers but the Alpha layer, and using the colour dropper, the alpha values for each pixel were revealed. Here are the first 5:

75, 121, 116, 115, 77 … now you try 🙂

Converting the values to ASCII, we get another base64 string which decodes to something…

7
I got stuck here for a while. Then a mate of mine told me:“It’s actually source code.”

Searching Google led me to Brainfuck, an esoteric programming language. Decompiling the code provided the password: 45100

Next step was to bypass the file upload restriction. I chose to use the extention .pht, which worked a treat:

8
With a proper shell on the box, searching for a privesc vector can begin. Staring with any SUID binaries:

9
The binary /opt/notes stands out here. Running the bin shows us that it’s a little to-do list program for taking notes:

10
Working through the functions of the program, the next step becomes clear:

12
Searching for information on pickle.py alerts to an issue with the way that Pickle serialises/unserialises. One can manually create pickled data with whatever content they want , and pickle.py will execute it in the context of the current user. So we can use that to execute code of our choice:

13
Now running as curtiz (via groups), we can see that he has another user’s private key:

13
SSH’ing with Marie’s key (her username is identified by reading curtiz’s .bash_history), we are prompted for an additional password:

14
Some more enumeration identifies that delacroix has her own shell configured:

15

Running strings on the shell binary reveals a hash, but at the time I couldn’t crack it. Instead, I overflowed the function with 78 chars:

16
Great! Now we are delacroix 🙂 This user is listed as having limited sudo access, but we don’t have her account password:

17
In her home directory, we see two scripts:

18
The check.sh script was responsible for the customised greeting message when logging in, and also checks for the number of seconds since the file  /home/delacroix/.last was created. If it’s older that 24hrs, it prompts the user to generate a new one.

The generate.sh script  creates a new .last file and uses the HH:MM timestamp of that file to generate a unique MD5. Looking at Marie’s .bash_history, we can see what she did previously:

19
Using this information, we can now extract the relevant part of generate.sh and compute the MD5 it would have provided Marie back when she last ran the script:

20

So we can now try to  sudo bash with this password:

21

…yeah! Time to claim the flag:

22


Wonderful 🙂 This was my first ever boot2root and a great deal of fun!

Massive shoutouts to barrebas for putting in the time and building a super fun and challenging boot2root, TheColonial for reading lines of  IRC drivel as I slowly put the pieces of this challenge together, and VulnHub for hosting valuable educational boot2root challenges.Hope this was helpful in some way. Hit me up on twitter if you have any questions.

sw1tch

Leave a Reply

Your email address will not be published. Required fields are marked *