Hello friends! Today we are going to take another CTF challenge known as C0m80. The credit for making this vm machine goes to “3mrgnc3” and it is another boot2root challenge in which our goal is to get root to complete the challenge. You can download this VM here.
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.127 but you will have to find your own)
Use nmap for port enumeration
nmap -A -p- 192.168.1.127
We find that port 80, 111, 139, 445, 2049, 20021, 37196. 40325, 41605, 49418, 58563 are open. As port 80 is running http we open the ip address in our browser.
We don’t find anything on the web page so we use dirb to enumerate the directories.
We find a link to a login page that is running mantis bug report. We find that the version is vulnerable; we can reset the password of the users with this vulnerability. You can read how to exploit this vulnerability here.
Now we exploit this vulnerability to change the password of the users.
We can change password of all the users present just by changing the id. After changing all the password we find that alice(id=4) is the only account with administrative privileges.
Going the mails we find a page that contains a link to a backup file.
We download the backup file using wget to get more information about the file.
After downloading the backup file we find that it is a hexdump, we use this program here, to convert it to bin format.
Then we use binwalk to check for for embedded file and binaries and find that there are 2 binaries.
We use dd to convert the files into exe and dll, so that we can run the program.
Now we run the program and find it’s a program for ftp server.
We use netstat to check of ports, and found that port 20021 opened for listening on our system.
We use netcat to connect to the system and find that indeed it is an application for ftpserver.
nc localhost 20021
We now reverse engineer the exe file using ollydbg for more information. And find that when it reads http: it opens the link in the the browser.