Posted in Blog, CTF, Resources, Walkthrough

BSides Vancouver Brief Walkthrough

This is a bare bones walkthrough for the BSides Vancouver. I’ll post a very verbose version later, but this should give you a chance to work through the VM. There is a lot left for you to figure out, but sometimes bread crumbs are a great way to learn.

Info needed to get started:

  • abatchy’s blog: https://www.abatchy.com/projects Creator of the VM and guidance slides
  • Vulnhub link: https://www.vulnhub.com/entry/bsides-vancouver-2018-workshop,231/
  • Name: BSides Vancouver: 2018 (Workshop)
  • Release date: 21 Mar 2018
  • Goal: Boot2root
  • Requirements from abatchy:
    • Laptop capable of running 2 VMs and has a USB port
    • At least 20 GB free space
    • VirtualBox pre-installed
    • Kali VM
    • Some familiarity w/CLI
  • Setup from abatchy:
    • Virtual Box
    • Network: Host network manager – create and enable DHCP, host-only adapter (I set up my IP to match abatchy’s slides)
    • Target system is Linux

 

The bread crumbs to get root:

  • Get IP using ifconfig – use the IP address found as the [IP address] as indicated below
  • Scan network using netdiscover -r [IP address].0/24
  • Scan machines on networks using nmap -A [IP address].0/24
  • Find target machine based on open ports
    • 21, 22, 80
  • Check out FTP site – get usernames
  • Check out IP address of target machine – it’s a valid webserver
  • Probe the server nikto -h [Target IP] -p 21,22,80
  • Check out the stuff it found
  • Probe some more using dirb http:// then the [Target IP]
  • Check out what it found – an old WordPress site and robots.txt
  • Go to or curl the robots.txt
  • Check out WP site wpscan -u [Target IP]/backup_wordpress/
    • Get a bunch of vulnerabilities, 2 users (admin, john)
  • Brute force WP password using WPScan or Metasploit
  • Can login and mess with stuff or just use Metasploit to get a reverse shell
  • Try to download passwd and shadow files – did this work?
  • Start looking for other vulnerabilities
    • Use Linux enum to look for vulnerabilities
    • Look for tasks with suid vulnerabilities, crontab is a good things to look for
    • Figure out how to exploit the crontab file
      • Edit and change to !#/bin/sh?
      • Download and upload an msfvenom payload?
  • Alternatively, try to brute force the SSH connection using Hydra and the usernames found at the FTP site
    • Get that and use Metasploit to set up a reverse shell
  • Once in the reverse shell, have to figure out info
    •  sysinfo
    •  getuid
    • Dig around in the directories
    • Check what level of user you are
    • If super user, just switch to root and search for flag

 

Author:

Lifelong paradox - cyber sec enthusiast - loves to learn

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.