Recently I just published my first boot2root VM out on
vulnhub.
This was the first boot2root that I created and quite frankly, I had a blast creating it. I learned a lot from creating this VM. To be honest, creating something vulnerable and having it be 'solvable' takes a lot of time, trial and error and testing in order for it to be successful. Now, was this successful? It is yet to be seen, but within 12 hours of publishing the VM, someone on twitter took a screen cap of the root flag. I'd like to think it was successful :)
Now, I'm waiting to publish a walkthrough (at least how I envisioned this walkthrough) until more people have had a chance to attempt it.
But here is a sneak peak on how I envisioned this boot2root to be solved:
I made this VM with a static IP address (192.168.9.184)
We first run nmap against this IP and discover 3 open ports:
We first go to port 80 and are presented with the following redherring:
This page is nothing more than a SecKC image.
Let's look at port 8888:
Oh wow. Lots of information here. Let's check out the whole page:
SecKC
Kansas City's Hacker Hive
Kansas City! The city of fountains! Did you know the Chiefs won SUPER BOWL LIV?! Oh, and the Royals won THE WORLD SERIES in 2015?! Oh manm, that's a lot of awesome. But did you know that Kansas City has the largest Monthly InfoSec meet-up? That's right! SecKC hosts the largest monthly meet-up EVERY. MONTH.
root@kali:/rapid7/metasploit-framework:master$ MSFLOGO="data/logos/haKCers.txt" ./msfconsole
`:oDFo:`
./ymM0dayMmy/.
-+dHJ5aGFyZGVyIQ==+-
`:sm⏣~~Destroy.No.Data~~s:`
-+h2~~Maintain.No.Persistence~~h+-
`:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`
./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.
-++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+-
-~/.ssh/id_rsa.Des- `htN01UserWroteMe!-
:dopeAW.No.nano.o :is:TЯiKC.sudo-.A:
:we're.all.alike'` The.PFYroy.No.D7:
:PLACEDRINKHERE!: yxp_cmdshell.Ab0:
:msf:exploit -j. :Ns.BOB.ALICEes7:
:---srwxrwx:-.` `MS146.52.No.Per:
:.script..Ac816/ sENbove3101.404:
:NT_AUTHORITY.Do `T:/shSYSTEM-.N:
:09.14.2011.raid /STFU|wall.No.Pr:
:hvensntSurb025N. dNVRGOING2GIVUUP:
:#OUTHOUSE- -s: /corykennedyData:
:$nmap -oS SSo.6178306Ence:
:Awsm.da: /shMTl#beats3o.No.:
:Ring0: `dDestRoyREXKC3ta/M:
:23d: sSETEC.ASTRONOMYist:
/- /yo- .ence.N:(){ :|: };:
`:Shall.We.Play.A.Game?tron/
```-ooy.if1ghtf0r+ehUser5`
..th3.H1V3.U2Vgeoda.jMh+.`
`MjM~~WE.ARE.se~~MMjMs
+~KANSAS.CITY's~-`
J~HAKCERS~./.`
.esc:wq!:`
+++ATH`
`
=[ metasploit v5.0.61-dev-618a7c9771 ]
+ -- --=[ 1947 exploits - 1089 auxiliary - 333 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 >
Destroy No Data
Maintain No Persistence
Above Else, Do No Harm
Bob
Bob
Bob and Alice
Alice
Alice
Random Name
Swag
Represent SecKC with swag!
CONTACT
seckc.org
Kansas City, USA
Email: info@seckc.org
Powered by HAKCERs
Lots of great information on SecKC and Kansas City! Let's run dirb to see if we can reach any other pages:
Hmm. Nothing. Let's run CeWL to build a wordlist from this page to see if there's any directories we aren't seeing due to the "common.txt" wordlist we've been using:
Alright, let's try dirb again, this time with our new wordlist:
Sweet! We found a new directory "/SecKCTheWorld/". Let's check it out