As always we starts any boot2root challenge enumerating the ports opened.
After verifying that the FTP server doesn’t allow the ‘anonymous’ session, we starts with the gunicorn web server enumeration.
At first sight the web appears to be some kind of security monitor dashboard. There is a page where it is possible to download PCAP files, which are files with network traffic saved. These files can be opened with software such as Wireshark to analyze these saved packets.
The downloaded file doesn’t have any interesting information, however we realized that the URL has a number, so it would be logic that there could be more files (maybe more interesting ones).
BINGO! The 0 page looks better and we were able to download a PCAP with more information.
We open the downloaded PCAP with wireshark and we found FTP traffic, which is transmitted insecure by default in clear text.
With these credentials we were able to access to the FTP, where we found the user flag (the ftp server is pointing to the user’s home).
Something you have to do when credentials are obtained in these type of challenges, is to try these creds in every service you discovered with authentication.
Therefore, we tried these FTP credentials also in the SSH and we got an interactive session with ‘nathan’.
In the privilege escalation phase, the machine’s name itself is the best hint you may wish. In linux-based systems there is a concept named capabilities which are used to extend the user permissions. You may think about this feature as the ACL in windows, they are a set of attributes the sysadmins can attribute to programs in order to give them capabilities such as:
- CAP_CHOWN: it allows to change the files ownership in both user and group.
- CAP_KILL: it allows a program to send signals to the O.S without permissions verification.
- CAP_SETUID: it allows to change the UID of a process once it is executed.
The privilege escalation, in this case, is performed through the abuse of this last capability. Let’s start by identifying this capability.
The actual capabilities allow the python3.8 program to modify the process UID. If you thinks about what is the UID of a program, it is indeed the ownership of a process, so one process running with UID = 0 will mean that this process will have ‘root’ permissions.
Using this capability you can escalate privilege by the modification, in runtime, of the UID to the 0 value, by this way you could ‘impersonate’ the root user and get his privileges. The code to be ran is as follows:
import os os.setuid(0) os.system('/bin/sh')