boot2root vm walkthrough

netdiscover finds us the VM IP: 192.168.56.104 kali ip: 192.168.56.103

nmap shows what is available for tcp

browsing the webste leads us to an LFI candidate

LFI was successful. SSH with cracked credentials from below was unsuccessful for me

dirb found the directory 'dbadmin' with phpLiteAdmin/1.9.3 web app. Default password works

webapp users

Google for the web app gives us a PoC

php is crafted for injection

visit the db page, you should see a web log hit on your attacker

poc returns a low-level shell

interpreters and compilers available

os version

Google sends us to a candidate. The targets are slightly different than our kernel but worth a shot for quick escalation

Upgrading the shell to tty allows successful exploitation. But this is not in the spirit of the VM where enumeration is more challenging to find a way for escalation

Compromise a password in wordpress config

SSH as zico with compromised credentials gives a low-level shell

sudo -l (el) lists sudo commands we can run

Searching the web describes how to run arbitrary code with tar

compile a malicious binary

\(*_*)
  ( (>
  /  \

sudo tar ftw

thanks to rafael for the vm