I periodically hit up Vulnhub for some machines to beat on.  Bsides Vancouver:  2018 (Workshop) is the most recent addition, it's description states:  "Boot2root challenges aim to create a safe environment where you can perform real-world penetration testing on an (intentionally) vulnerable target."

It was designed for VirtualBox but this was easily imported into Xenserver.  Once I got it running, I started my enumeration.

Nmap shows three open ports:

I see if anonymous FTP is open, it is -- I'm unable to write.  As I traverse into /public, I see a file and I download it.

The file contains a list of users -- I will store these away for later use.

I attempt to SSH into the box to see the response -- does not look viable.

I take a look at what's running on port 80.

A quick check to see if there's anything listed in robots.txt and I find something interesting.

I attempt to access the directory and I find a WordPress site.

I run wpscan to see what I can uncover.

Two users are found and wpscan cracks one of the passwords.

Using john's account, I login to WordPress.

I head straight for plugins upload and I upload Pentest Monkey's reverse shell.






I receive an error when I attempt to upload but I've seen this a bunch of times and I don't lose faith because I know....

... when I look in the Media Library, I see my shell.

Getting the correct path to my shell.

Setup Metasploit to catch my shell.

Hit my shell from a browser.

Payday!  Run a couple of commands to get things pretty.

Let's see what we're dealing with.  I'm going straight to dirtycow.

Just prior to executing dirtycow, I setup another session because I know I don't have much time before the system crashes.  I have su firefart already typed out and I have the unstable fix already copied and ready to paste.  

Time for the root dance.



I think this was meant to be easy for the workshop but easy is relative.  There have been plenty of easy boxes that have kicked my butt.  

Thanks to Abatchy for setting this up.  The box was easy to setup and fun while it lasted.  :)